name: Trivy module
author:  Bolt lee
description: 'Trivy module'
inputs:
  TAG:
    description: '' # Filled out description.
    required: true
    default: ''
  ECR_REGISTRY:
    description: '' # Filled out description.
    required: true
    default: 'sample-registry'
  ECR_REPOSITORY:
    description: '' # Filled out description.
    required: false
    default: 'sample-repository'
  dockerfile:
    description: '' # Filled out description.
    required: false
    default: Dockerfile
  file-changes:
    description: 'file pattern list for checking rebuilding image or not'
    required: false
    default: ''
  file-ignore-changes:
    description: 'file pattern list for checking rebuilding image or not'
    required: false
    default: ''
  extra-build-args:
    description: ''
    required: false
    default: ''
  base_sha:
    description: ''
    required: false
    default: ''
  sha:
    description: ''
    required: false
    default: ''
  deploy_env:
    description: ''
    required: false
    default: ''

runs:
  using: "composite"
  steps:
  - name: scan image vulnerability
    uses: aquasecurity/trivy-action@master
    with:
      scan-type: 'image'
      image-ref: '${{ inputs.ECR_REGISTRY }}/trivy-scanning:${{ inputs.TAG }}'
      vuln-type: 'os,library'
      ignore-unfixed: true
      severity: 'CRITICAL,HIGH'
      security-checks: 'vuln'
      format: 'json'
      output: 'trivy-result.json'
  - name: trivy-scanning ecr repo image delete
    shell: bash
    run: |
      echo "Delete trivy-scanning image: ${{ inputs.TAG }}"
      aws ecr batch-delete-image --repository-name trivy-scanning --image-ids imageTag=${{ inputs.TAG }} --region ap-northeast-2
  - name: install jq
    shell: bash
    run: |
      curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -o /usr/local/bin/jq >/dev/null
      chmod a+x /usr/local/bin/jq
      sleep 5s
  - name: check trivy result
    id: result
    shell: bash
    run: |
      cat trivy-result.json
      echo "OS Check"
      os_info=`cat trivy-result.json | jq 'try .Results[0].Vulnerabilities[]'`
      library_info=`cat trivy-result.json | jq 'try .Results[1].Vulnerabilities[]'`
      if [[ $os_info == *Severity* ]]; then
        os_count=`cat trivy-result.json | jq 'try .Results[0].Vulnerabilities[].Severity' | grep -e HIGH -e CRITICAL |wc -l | xargs`
      else
        os_count=0
      fi
      echo "Library Check"
      if [[ $library_info == *Severity* ]]; then
        library_count=`cat trivy-result.json | jq 'try .Results[1].Vulnerabilities[].Severity' | grep -e HIGH -e CRITICAL |wc -l | xargs`
      else
        library_count=0
      fi
      echo $os_critical_count
      echo $library_count
      OS_COUNT=$((os_count))
      LIBRARY_COUNT=$((library_count))
      TOTAL_COUNT=$(($OS_COUNT+$LIBRARY_COUNT))
      TOTAL_OS_COUNT=$(($OS_COUNT))
      TOTAL_LIBRARY_COUNT=$(($LIBRARY_COUNT))
      echo "==== TOTAL VULNERABILITY ===="
      echo "TOTAL OS_VULNERABILITY COUNT: $TOTAL_OS_COUNT"
      echo "TOTAL LIBRARY_VULNERABILITY COUNT: $TOTAL_LIBRARY_COUNT"
      echo "TOTAL VULNERABILITY COUNT: $TOTAL_COUNT"
      echo "TOTAL_OS_COUNT=$TOTAL_OS_COUNT" >> $GITHUB_OUTPUT
      echo "TOTAL_LIBRARY_COUNT=$TOTAL_LIBRARY_COUNT" >> $GITHUB_OUTPUT
      echo "check=true" >> $GITHUB_OUTPUT
      if [[ $TOTAL_COUNT -gt 0 ]]; then
        echo "Image vulnerability detect"
        echo "check=false" >> $GITHUB_OUTPUT
      else
        echo "## Trivy Summary(OS)" >> $GITHUB_STEP_SUMMARY
        echo "| PkgName    | CVE        | Severity    | InstallVersion    | FixVersion    |" >> $GITHUB_STEP_SUMMARY
        echo "|------------|------------|-------------|-------------------|---------------|" >> $GITHUB_STEP_SUMMARY
        echo "| -          | -          | -           | -                 | -             |" >> $GITHUB_STEP_SUMMARY
        echo "## Trivy Summary(LIBRARY)" >> $GITHUB_STEP_SUMMARY
        echo "| PkgName    | CVE        | Severity    | InstallVersion    | FixVersion    |" >> $GITHUB_STEP_SUMMARY
        echo "|------------|------------|-------------|-------------------|---------------|" >> $GITHUB_STEP_SUMMARY
        echo "| -          | -          | -           | -                 | -             |" >> $GITHUB_STEP_SUMMARY
      fi
  - name: trivy summary show
    shell: bash
    if: |
      steps.result.outputs.check == 'false'
    run: |
      echo "====== TOTAL COUNT ======"
      echo ${{ steps.result.outputs.TOTAL_OS_COUNT }}
      echo ${{ steps.result.outputs.TOTAL_LIBRARY_COUNT }}
      echo "========================"
      echo "## Trivy Summary(OS)" >> $GITHUB_STEP_SUMMARY
      echo "| PkgName    | CVE        | Severity    | InstallVersion    | FixVersion    |" >> $GITHUB_STEP_SUMMARY
      echo "|------------|------------|-------------|-------------------|---------------|" >> $GITHUB_STEP_SUMMARY
      if [[ ${{ steps.result.outputs.TOTAL_OS_COUNT}} -gt 0 ]]; then
        cat trivy-result.json | jq -r '(try .Results[0].Vulnerabilities[] | .PkgName, .VulnerabilityID, .Severity, .InstalledVersion, .FixedVersion)' > os_summary.txt
        os_cnt=`cat os_summary.txt | wc -l | xargs`
        for num in $(seq 1 5 $os_cnt)
        do
          index_1=`expr $num`
          index_2=`expr $num + 1`
          index_3=`expr $num + 2`
          index_4=`expr $num + 3`
          index_5=`expr $num + 4`
          PkgName=`head -n $index_1 os_summary.txt | tail -n 1`
          VulnerabilityID=`head -n $index_2 os_summary.txt | tail -n 1`
          Severity=`head -n $index_3 os_summary.txt | tail -n 1`
          InstalledVersion=`head -n $index_4 os_summary.txt | tail -n 1`
          FixedVersion=`head -n $index_5 os_summary.txt | tail -n 1`
          echo "PKGNAME: $PkgName"
          echo "VulnerabilityID: $VulnerabilityID"
          echo "Severity: $Severity"
          echo "InstalledVersion: $InstalledVersion"
          echo "FixedVersion: $FixedVersion"
          echo "| $PkgName    | $VulnerabilityID       | $Severity        | $InstalledVersion              | $FixedVersion              |" >> $GITHUB_STEP_SUMMARY
        done
      else
        echo "| -          | -          | -           | -                 | -             |" >> $GITHUB_STEP_SUMMARY
      fi
      echo "## Trivy Summary(LIBRARY)" >> $GITHUB_STEP_SUMMARY
      echo "| PkgName    | CVE        | Severity    | InstallVersion    | FixVersion    |" >> $GITHUB_STEP_SUMMARY
      echo "|------------|------------|-------------|-------------------|---------------|" >> $GITHUB_STEP_SUMMARY
      if [[ ${{steps.result.outputs.TOTAL_LIBRARY_COUNT}} -gt 0 ]]; then
        cat trivy-result.json | jq -r '(try .Results[1].Vulnerabilities[] | .PkgName, .VulnerabilityID, .Severity, .InstalledVersion, .FixedVersion)' > library_summary.txt
        library_cnt=`cat library_summary.txt | wc -l | xargs`
        for num in $(seq 1 5 $library_cnt)
        do
          index_1=`expr $num`
          index_2=`expr $num + 1`
          index_3=`expr $num + 2`
          index_4=`expr $num + 3`
          index_5=`expr $num + 4`
          PkgName=`head -n $index_1 library_summary.txt | tail -n 1`
          VulnerabilityID=`head -n $index_2 library_summary.txt | tail -n 1`
          Severity=`head -n $index_3 library_summary.txt | tail -n 1`
          InstalledVersion=`head -n $index_4 library_summary.txt | tail -n 1`
          FixedVersion=`head -n $index_5 library_summary.txt | tail -n 1`
          echo "| $PkgName    | $VulnerabilityID       | $Severity        | $InstalledVersion              | $FixedVersion          |" >> $GITHUB_STEP_SUMMARY
        done
      else
        echo "| -          | -          | -           | -                 | -             |" >> $GITHUB_STEP_SUMMARY
      fi

  - name: trivy-scanning check
    shell: bash
    if: |
      steps.result.outputs.check == 'false'
    run: |
      DEPLOY_ENV=${{ inputs.deploy_env }}
      if [[ $DEPLOY_ENV == "qa" ]] || [[ $DEPLOY_ENV == "staging" ]]; then
        echo "detect image vulnerability"
        echo "shutdown github action"
      fi