feat(cd): Integrate container and cve scanning post publishing (#10275)

Backported from #10272 

* (feat/container-scanning): Integrate container and cve scanning post … (#10272)

* (feat/container-scanning): Integrate container and cve scanning post publishing

* build/ENGEN-844 review (#10273)

* chore(gha): cleanup trailing whitespace

* chore(gha): simplify release scan image as ENV

* chore(gha): simplify release scan logic

* fix(gha): release scan IMAGE context

* chore(gha): fix scan manifest output redirection

---------

Co-authored-by: Isa Farnik <[email protected]>

* fix(cd): remove container scan dependency

---------

Co-authored-by: Isa Farnik <[email protected]>

.github/matrix-commitly.yml

@@ -15,6 +15,7 @@ smoke-tests:
 - label: ubuntu
 
 scan-vulnerabilities:
+- label: ubuntu
 
 release-packages:
 

.github/workflows/release.yml

@@ -151,7 +151,7 @@ jobs:
       if: matrix.package == 'deb' && steps.cache-deps.outputs.cache-hit != 'true'
       run: |
         sudo apt-get update && sudo apt-get install libyaml-dev -y
-      
+
     - name: Install Ubuntu Cross Build Dependencies (arm64)
       if: matrix.package == 'deb' && steps.cache-deps.outputs.cache-hit != 'true' && endsWith(matrix.label, 'arm64')
       run: |
@@ -323,6 +323,70 @@ jobs:
           Docker image available `${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}`
           Artifacts available https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
 
+  scan:
+    name: Scan - ${{ matrix.label }}
+    needs: [metadata, build-images]
+    runs-on: ubuntu-22.04
+    if: |-
+      always()
+      && fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] != ''
+      && needs.build-images.result == 'success'
+      && (github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]'))
+    strategy:
+      fail-fast: false
+      matrix:
+        include: "${{ fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] }}"
+    env:
+      IMAGE: ${{ needs.metadata.outputs.prerelease-docker-repository }}:${{ github.sha }}-${{ matrix.label }}
+    steps:
+    - name: Install regctl
+      uses: regclient/actions/regctl-installer@main
+
+    - name: Login to Docker Hub
+      if: ${{ env.HAS_ACCESS_TO_GITHUB_TOKEN }}
+      uses: docker/login-action@bc135a1993a1d0db3e9debefa0cfcb70443cc94c
+      with:
+        username: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }}
+        password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }}
+
+    # TODO: Refactor matrix file to support and parse platforms specific to distro
+    # Workaround: Look for specific amd64 and arm64  hardcooded architectures
+    - name: Parse Architecture Specific Image Manifest Digests
+      id: image_manifest_metadata
+      run: |
+        manifest_list_exists="$(
+          if regctl manifest get "${IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then
+            echo true
+          else
+            echo false
+          fi
+        )"
+        echo "manifest_list_exists=$manifest_list_exists"
+        echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT
+
+        amd64_sha="$(regctl image digest "${IMAGE}" --platform linux/amd64 || echo '')"
+        arm64_sha="$(regctl image digest "${IMAGE}" --platform linux/arm64 || echo '')"
+        echo "amd64_sha=$amd64_sha"
+        echo "amd64_sha=$amd64_sha" >> $GITHUB_OUTPUT
+        echo "arm64_sha=$arm64_sha"
+        echo "arm64_sha=$arm64_sha" >> $GITHUB_OUTPUT
+
+    - name: Scan AMD64 Image digest
+      id: sbom_action_amd64
+      if: steps.image_manifest_metadata.outputs.amd64_sha != ''
+      uses: Kong/public-shared-actions/security-actions/scan-docker-image@b2e4a29d30382e1cceeda8df1e8b8bee65bef39b
+      with:
+        asset_prefix: kong-${{ github.sha }}-${{ matrix.label }}-linux-amd64
+        image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }}
+
+    - name: Scan ARM64 Image digest
+      if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != ''
+      id: sbom_action_arm64
+      uses: Kong/public-shared-actions/security-actions/scan-docker-image@b2e4a29d30382e1cceeda8df1e8b8bee65bef39b
+      with:
+        asset_prefix: kong-${{ github.sha }}-${{ matrix.label }}-linux-arm64
+        image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }}
+
   smoke-tests:
     name: Smoke Tests - ${{ matrix.label }}
     needs: [metadata, build-images]
@@ -381,34 +445,6 @@ jobs:
     - name: Smoke Tests - Admin API
       run: build/tests/01-admin-api.sh
 
-  scan-vulnerabilities:
-    name: Scan Vulnerabilities - ${{ matrix.label }}
-    needs: [metadata, build-images]
-    runs-on: ubuntu-22.04
-    if: |-
-      fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] != ''
-      && (github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]'))
-
-    strategy:
-      # runs all jobs sequentially
-      max-parallel: 1
-      fail-fast: false
-      matrix:
-        include: "${{ fromJSON(needs.metadata.outputs.matrix)['scan-vulnerabilities'] }}"
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0
-        env:
-          TRIVY_USERNAME: ${{ secrets.GHA_DOCKERHUB_PUSH_USER }}
-          TRIVY_PASSWORD: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUSH_TOKEN }}
-        with:
-          image-ref: ${{ env.PRERELEASE_DOCKER_REPOSITORY }}:${{ github.sha }}-${{ matrix.label }}
-          severity: 'CRITICAL,HIGH'
-
   release-packages:
     name: Release Packages - ${{ matrix.label }} - ${{ needs.metadata.outputs.release-desc }}
     needs: [metadata, build-packages, build-images, smoke-tests]