INSIGHTS-118 - insights plugins pipeline is not being able to scan the latest changes before release

.circleci/config.yml

@@ -191,7 +191,16 @@ jobs:
       - set_environment_variables
       - setup_remote_docker
       - run: ./.circleci/scripts/install-trivy.sh
-      - run: ./scripts/scan-all.sh
+      - set_tags
+      - run:
+          name: Scan for vulnerabilities
+          command: |
+            if [ "$CIRCLE_BRANCH" != "main" ]
+            then
+              ./scripts/scan-all.sh $CIRCLE_BRANCH "${CHANGED[*]}"
+            else
+              ./scripts/scan-all.sh
+            fi
       - run: |
           if ! git diff --exit-code fairwinds-insights.yaml; then
             echo "Please run `SKIP_TRIVY=true ./scripts/scan-all.sh` to regenerate fairwinds-insights.yaml"
@@ -337,3 +346,4 @@ workflows:
                 - main
     jobs:
       - build_and_push_plugins
+      - scan_for_vulnerabilities

scripts/scan-all.sh

@@ -1,6 +1,11 @@
 #! /bin/bash
 set -eo pipefail
 
+declare branch_name=$1
+declare -a changed_plugins=($2)
+
+branch_name=$(echo $branch_name | sed 's/\//-/g')
+
 # Hard-coding four external images we own. Versions taken from insights-agent. Need to find a better solution here.
 images=(quay.io/fairwinds/polaris:9.0 quay.io/fairwinds/nova:v3.9 us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5.19 us-docker.pkg.dev/fairwinds-ops/oss/goldilocks:v4.11)
 have_vulns=()
@@ -27,11 +32,46 @@ for name in "${images[@]}"; do
   echo -e "    - $name" >> ./fairwinds-insights.yaml
 done
 
+declare -A changed_plugins_map
+for plugin in "${changed_plugins[@]}"; do
+  changed_plugins_map[$plugin]=1
+done
+
+# create a map to match images in images array to the plugin name
+declare -A plugin_map
+plugin_map["quay.io/fairwinds/insights-admission-controller"]="admission"
+plugin_map["quay.io/fairwinds/aws-costs"]="aws-costs"
+plugin_map["quay.io/fairwinds/insights-ci"]="ci"
+plugin_map["quay.io/fairwinds/cloud-costs"]="cloud-costs"
+plugin_map["quay.io/fairwinds/falco-agent"]="falco"
+plugin_map["quay.io/fairwinds/fw-kube-bench-aggregator"]="kube-bench-aggregator"
+plugin_map["quay.io/fairwinds/fw-kube-bench"]="kube-bench"
+plugin_map["quay.io/fairwinds/kubectl"]="kubectl"
+plugin_map["quay.io/fairwinds/fw-kubesec"]="kubesec"
+plugin_map["quay.io/fairwinds/kyverno"]="kyverno"
+plugin_map["quay.io/fairwinds/fw-opa"]="opa"
+plugin_map["quay.io/fairwinds/postgres-partman"]="postgres"
+plugin_map["quay.io/fairwinds/prometheus-collector"]="postgres-partman"
+plugin_map["quay.io/fairwinds/rbac-reporter"]="rbac-reporter"
+plugin_map["quay.io/fairwinds/right-sizer"]="right-sizer"
+plugin_map["quay.io/fairwinds/fw-trivy"]="trivy"
+plugin_map["quay.io/fairwinds/insights-uploader"]="uploader"
+plugin_map["quay.io/fairwinds/insights-utils"]="utils"
+plugin_map["quay.io/fairwinds/workloads"]="workloads"
+
 echo "scanning all images"
 for name in "${images[@]}"; do
     if [[ $SKIP_TRIVY == "true" ]]; then
       break
     fi
+
+    name_without_tag=$(echo $name | sed "s/:.*//") 
+    if [[ -n ${plugin_map[$name_without_tag]} ]]; then
+      if [[ -n ${changed_plugins_map[${plugin_map[$name_without_tag]}]} ]]; then
+        name=$(echo $name_without_tag:$branch_name)
+      fi
+    fi
+
     echo "scanning $name"
     docker pull $name