.github/workflows/patch.yaml

name: patch

on:
  push:
    paths:
      - '**/*'
      - '!README.md'
      - '!images/**'
jobs:
    immunize:
        runs-on: ubuntu-latest
        strategy:
          fail-fast: true
          matrix:
            # images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0', 'mcr.microsoft.com/dotnet/aspnet:7.0.15-alpine3.18', 'docker.io/library/python:3.10.10-alpine3.17',
                    #'docker.io/library/golang:1.18.10', 'docker.io/library/node:18.17.1-slim', 'docker.io/library/rust:1.69.0', 'docker.io/library/python:3.5.10-slim']
            images: ['docker.io/library/nginx:1.21.6', 'docker.io/openpolicyagent/opa:0.46.0', 
                     'docker.io/library/python:3.13.0a3-bullseye', 'docker.io/library/python:3.11.7-slim-bookworm']

        steps:
        - name: Install Cosign
          uses: sigstore/cosign-installer@v3.1.1
          with:
            cosign-release: 'v2.2.2'
        # - name: Set up Docker Buildx
        #   uses: docker/setup-buildx-action@dedd61cf5d839122591f5027c89bf3ad27691d18

        - name: Generate Trivy Report
          uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
          with:
            scan-type: 'image'
            format: 'json'
            output: 'report.json'
            ignore-unfixed: true
            vuln-type: 'os'
            image-ref: ${{ matrix.images }}

        - name: Check Vuln Count
          id: vuln_count
          run: |
            report_file="report.json"
            vuln_count=$(jq '.Results | length' "$report_file")
            echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT

        - name: Set Tag
          id: set_tag
          run: |
            TAG=$(echo "${{ matrix.images }}" | grep -oP '(?<=:).*' | grep -oP '^[^/]+')
            IMMUNIZED_TAG="${TAG}-immunized"
            PATCHED_TAG_SBOM=$(echo "${{matrix.images}}" | tr '/:' '-')
            echo "PATCHED_TAG=${IMMUNIZED_TAG}" >> $GITHUB_ENV
            echo "PATCHED_TAG_SBOM=${PATCHED_TAG_SBOM}" >> $GITHUB_ENV

        - name: Copa Action
          if: steps.vuln_count.outputs.vuln_count != '0'
          id: copa
          uses: sozercan/copa-action@out-vex
          with:
            image: ${{ matrix.images }}
            image-report: 'report.json'
            patched-tag: ${{ env.PATCHED_TAG }}
            output: ${{ env.PATCHED_TAG_SBOM }}-openvex-report.json

        # - name: list files
        #   run: |
        #     ls -al
        #     cat test.json
        #     sudo cat test.json

        - name: Archive openvex vuln report
          uses: actions/upload-artifact@v4
          with:
            name: ${{ env.PATCHED_TAG_SBOM }}-openvex-report
            path: ${{ env.PATCHED_TAG_SBOM }}-openvex-report.json

        - name: Log into ghcr
          if: steps.copa.conclusion == 'success'
          id: login
          uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
          with:
            registry: ghcr.io
            username: ${{ github.actor }}
            password: ${{ secrets.GITHUB_TOKEN }}

        - name: Tag Image for GHCR
          if: steps.login.conclusion == 'success'
          run: |
            docker tag ${{ steps.copa.outputs.patched-image }} ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}

        - name: Docker Push Patched Image
          id: push
          if: steps.login.conclusion == 'success'
          run: |
            docker push ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}

        - name: Produce Image SBOM
          uses: anchore/sbom-action@v0
          with:
            image: "ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}"
            artifact-name: ${{ env.PATCHED_TAG_SBOM }}.spdx.json

        - name: Sign image with Cosign
          run: |
            cosign sign --yes --key env://COSIGN_PRIVATE_KEY "ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}"
          env:
            COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
            COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

        - name: Attest the Image with SBOM
          run: |
            echo "${{ env.PATCHED_TAG_SBOM }}"
            SBOM_FILE=$(find /tmp/sbom-action-* -name "*${{ env.PATCHED_TAG_SBOM }}*.spdx.json" -type f)
            echo "${SBOM_FILE}"
            if [ -z "$SBOM_FILE" ]; then
              echo "Error: .spdx file not found"
              exit 1
            fi
            cosign attest --yes --key env://COSIGN_PRIVATE_KEY --type spdx --predicate "${SBOM_FILE}" "ghcr.io/r3drun3/immunize/${{ steps.copa.outputs.patched-image }}"
          env:
            COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
            COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}


    send-mail-report:
      runs-on: ubuntu-latest
      needs: immunize
      steps:
        - name: Checkout Repository
          uses: actions/checkout@v3

        - name: Download openvex reports
          uses: actions/download-artifact@v4

        - name: List files
          run : |
            ls -lah

        - name: Send Mail Report
          run: |
            python $GITHUB_WORKSPACE/send_mail_report.py
          env:
            EMAIL_RECIPIENTS: ${{ secrets.EMAIL_RECIPIENTS }}
            EMAIL_ADDRESS: ${{ secrets.EMAIL_ADDRESS }}
            EMAIL_PASSWORD: ${{ secrets.EMAIL_PASSWORD }}