name: Image Vulnerability Scan

on:
  workflow_call:

env:
  REPO: ${{ github.repository }}/temp #Add /temp for temporary images

jobs:

  image-vulnerability-scan:
    runs-on: ubuntu-22.04

    steps:
    - id: get-id
      name: Get a unique tag for this build
      run: |
        SHA=${{ github.sha }}; BRANCH_NAME=${{ github.base_ref || github.ref_name }};
        BUILD_ID=$BRANCH_NAME-${SHA:0:8};
        DOCKER_IMAGE=${{ secrets.docker_repo2_registry }}/$REPO:$BUILD_ID;
        echo "BUILD_ID=$BUILD_ID" >> "$GITHUB_OUTPUT";
        echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT";

    - name: Print build id and image name
      run: |
        echo "BUILD_ID: ${{ steps.get-id.outputs.BUILD_ID }}"; 
        echo "DOCKER_IMAGE: ${{ steps.get-id.outputs.DOCKER_IMAGE }}";

    - uses: actions/checkout@v4

    - name: Login to docker container registry
      uses: docker/login-action@v3
      with:
        registry: ${{ secrets.docker_repo2_registry }}
        username: ${{ secrets.docker_repo2_username }}
        password: ${{ secrets.docker_repo2_password }}

    - name: Build the container image (quick, without PUBLIC_BUILD_VERSION)
      # Commenting this from docker build for speed: --build-arg PUBLIC_BUILD_VERSION=$BUILD_ID \
      run: |
        docker build \
          --file fab/d/actions-build.Dockerfile \
          --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \
          .;

    - name: Container details
      run: |
        IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`;
        echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}";

    - name: Scan container image for vulnerabilities with grype
      uses: anchore/scan-action@v6
      with:
        image: ${{ steps.get-id.outputs.DOCKER_IMAGE }}
        cache-db: true #Cache Grype DB in Github Actions
        output-format: table
        only-fixed: true
        severity-cutoff: critical
        fail-build: true