@@ -19,52 +19,139 @@ inputs:
1919 idp_aws_report_upload_bucket_endpoint :
2020 description : " IDP AWS report upload endpoint to upload the report to"
2121 required : false
22+ skip_if_pr_has_label :
23+ description : " Skip dependency scanning when the triggering PR has this label"
24+ required : false
25+ default : " skip-dependencies-check"
2226runs :
2327 using : " composite"
2428 steps :
29+ - name : " Check if dependency scan should be skipped"
30+ id : skip-check
31+ shell : bash
32+ env :
33+ GH_TOKEN : ${{ github.token }}
34+ run : |
35+ SHOULD_SKIP="false"
36+
37+ # Only check labels if a skip label is configured
38+ if [[ -n "${{ inputs.skip_if_pr_has_label }}" ]]; then
39+ PR_NUMBER=""
40+
41+ # Try to get PR number from event context first (for direct PR triggers)
42+ if [[ -n "${{ github.event.pull_request.number }}" ]]; then
43+ PR_NUMBER="${{ github.event.pull_request.number }}"
44+ fi
45+
46+ # If no PR number from event, try to find it from the branch (for workflow_call context)
47+ if [[ -z "${PR_NUMBER}" ]]; then
48+ REF="${{ github.ref }}"
49+ if [[ "${REF}" == refs/heads/* ]]; then
50+ BRANCH_NAME="${REF#refs/heads/}"
51+ # Find PR for this branch
52+ RESULT=$(gh pr list --head "${BRANCH_NAME}" --limit 1 --state open --json number --jq '.[0].number' 2>/dev/null || echo "")
53+ if [[ -n "${RESULT}" && "${RESULT}" != "null" ]]; then
54+ PR_NUMBER="${RESULT}"
55+ fi
56+ elif [[ "${REF}" == refs/pull/* ]]; then
57+ PR_NUMBER="${REF#refs/pull/}"
58+ PR_NUMBER="${PR_NUMBER%%/*}"
59+ fi
60+ fi
61+
62+ # If we have a PR number, query its labels
63+ if [[ -n "${PR_NUMBER}" ]]; then
64+ if gh pr view "${PR_NUMBER}" --json labels --jq '.labels[].name' | grep -Fxq "${{ inputs.skip_if_pr_has_label }}"; then
65+ SHOULD_SKIP="true"
66+ fi
67+ fi
68+ fi
69+
70+ echo "should_skip=${SHOULD_SKIP}" >> "$GITHUB_OUTPUT"
71+ - name : " Skip dependency scan"
72+ if : steps.skip-check.outputs.should_skip == 'true'
73+ shell : bash
74+ run : |
75+ echo "Dependency scan skipped because PR has label '${{ inputs.skip_if_pr_has_label }}'."
2576 - name : " Generate SBOM"
77+ if : steps.skip-check.outputs.should_skip != 'true'
2678 shell : bash
2779 run : |
80+ ACTION_ROOT="$(cd "${GITHUB_ACTION_PATH}/../../.." && pwd)"
81+ export TOOLING_ROOT="${ACTION_ROOT}"
2882 export BUILD_DATETIME=${{ inputs.build_datetime }}
29- . /scripts/reports/create-sbom-report.sh
83+ "${ACTION_ROOT} /scripts/reports/create-sbom-report.sh"
3084 - name : " Compress SBOM report"
85+ if : steps.skip-check.outputs.should_skip != 'true'
3186 shell : bash
3287 run : zip sbom-repository-report.json.zip sbom-repository-report.json
3388 - name : " Upload SBOM report as an artefact"
34- if : ${{ !env.ACT }}
89+ if : ${{ !env.ACT && steps.skip-check.outputs.should_skip != 'true' }}
3590 uses : actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
3691 with :
3792 name : sbom-repository-report.json.zip
3893 path : ./sbom-repository-report.json.zip
3994 retention-days : 21
4095 - name : " Scan vulnerabilities"
96+ if : steps.skip-check.outputs.should_skip != 'true'
4197 shell : bash
4298 run : |
99+ ACTION_ROOT="$(cd "${GITHUB_ACTION_PATH}/../../.." && pwd)"
100+ export TOOLING_ROOT="${ACTION_ROOT}"
43101 export BUILD_DATETIME=${{ inputs.build_datetime }}
44- ./scripts/reports/scan-vulnerabilities.sh
102+ "${ACTION_ROOT}/scripts/reports/scan-vulnerabilities.sh"
103+ - name : " Generate vulnerabilities summary"
104+ if : steps.skip-check.outputs.should_skip != 'true'
105+ shell : bash
106+ run : |
107+ ACTION_ROOT="$(cd "${GITHUB_ACTION_PATH}/../../.." && pwd)"
108+ "${ACTION_ROOT}/scripts/reports/parse-vulnerabilities.sh" vulnerabilities-repository-report.json | tee vulnerabilities-summary.md
109+ if [[ -n "${GITHUB_STEP_SUMMARY:-}" ]]; then
110+ cat vulnerabilities-summary.md >> "$GITHUB_STEP_SUMMARY"
111+ fi
45112 - name : " Compress vulnerabilities report"
113+ if : steps.skip-check.outputs.should_skip != 'true'
46114 shell : bash
47115 run : zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json
48116 - name : " Upload vulnerabilities report as an artefact"
49- if : ${{ !env.ACT }}
117+ if : ${{ !env.ACT && steps.skip-check.outputs.should_skip != 'true' }}
50118 uses : actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
51119 with :
52120 name : vulnerabilities-repository-report.json.zip
53121 path : ./vulnerabilities-repository-report.json.zip
54122 retention-days : 21
123+ - name : " Upload vulnerabilities summary as an artefact"
124+ if : ${{ !env.ACT && steps.skip-check.outputs.should_skip != 'true' }}
125+ uses : actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
126+ with :
127+ name : vulnerabilities-summary.md
128+ path : ./vulnerabilities-summary.md
129+ retention-days : 21
130+ - name : " Fail if Critical or High vulnerabilities found"
131+ if : steps.skip-check.outputs.should_skip != 'true'
132+ shell : bash
133+ run : |
134+ CRITICAL_COUNT=$(jq '[.matches[] | select(.vulnerability.severity == "Critical") | {id: .vulnerability.id, package: .artifact.name, version: .artifact.version}] | unique_by([.id, .package, .version]) | length' vulnerabilities-repository-report.json)
135+ HIGH_COUNT=$(jq '[.matches[] | select(.vulnerability.severity == "High") | {id: .vulnerability.id, package: .artifact.name, version: .artifact.version}] | unique_by([.id, .package, .version]) | length' vulnerabilities-repository-report.json)
136+ echo "Critical: $CRITICAL_COUNT, High: $HIGH_COUNT"
137+ if [[ "$CRITICAL_COUNT" -gt 0 || "$HIGH_COUNT" -gt 0 ]]; then
138+ echo "::error::Found $CRITICAL_COUNT Critical and $HIGH_COUNT High severity vulnerabilities"
139+ exit 1
140+ fi
55141 - name : " Check prerequisites for sending the reports"
142+ if : steps.skip-check.outputs.should_skip != 'true'
56143 shell : bash
57144 id : check
58145 run : echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
59146 - name : " Authenticate to send the reports"
60- if : steps.check.outputs.secrets_exist == 'true'
147+ if : steps.skip-check.outputs.should_skip != 'true' && steps. check.outputs.secrets_exist == 'true'
61148 uses : aws-actions/configure-aws-credentials@acca2b1b2070338fb9fd1ca27ecee81d687e58e5 # v6.1.2
62149 with :
63150 role-to-assume : arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
64151 aws-region : ${{ inputs.idp_aws_report_upload_region }}
65152 - name : " Send the SBOM and vulnerabilities reports to the central location"
66153 shell : bash
67- if : steps.check.outputs.secrets_exist == 'true'
154+ if : steps.skip-check.outputs.should_skip != 'true' && steps. check.outputs.secrets_exist == 'true'
68155 run : |
69156 aws s3 cp \
70157 ./sbom-repository-report.json.zip \
0 commit comments