Merge pull request #385 from pagopa/develop

chore: promotion to main - refactor scan workflow

Author: and-mora

.github/workflows/scan.yml

@@ -31,7 +31,10 @@ jobs:
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     runs-on: ubuntu-latest
-    environment: prod
+    outputs:
+      CVE_CRITICAL: ${{env.CVE_CRITICAL}}
+      CVE_HIGH: ${{env.CVE_HIGH}}
+      CVE_MEDIUM: ${{env.CVE_MEDIUM}}
     steps:
       - name: Checkout the code
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0
@@ -60,30 +63,13 @@ jobs:
         id: cve-threshold
         if: env.CVE_HIGH > 0 || env.CVE_CRITICAL > 0
         run: exit 1
-      - name: Send notification to Slack
-        id: slack
-        if: always() && github.event_name == 'schedule' && steps.cve-threshold.outcome == 'failure'
-        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 #v1.24.0
-        with:
-          payload: |
-            {
-              "blocks": [
-                {
-                  "type": "header",
-                  "text": {
-                    "type": "plain_text",
-                    "text": "[ ${{ github.event.repository.name }} ]"
-                  }
-                },
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": " `CRITICAL` : *${{ env.CVE_CRITICAL }}*\n\n`HIGH` : *${{ env.CVE_HIGH }}*\n\n`MEDIUM` : *${{ env.CVE_MEDIUM }}*\n\n<https://github.com/${{ github.repository }}/security/code-scanning |See details on GitHub>"
-                  }
-                }
-              ]
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.CVE_SCAN_SLACK_WEBHOOK }}
-          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+
+  SendSlackNotification:
+    needs: BuildAndScan
+    uses: ./.github/workflows/send-notification.yml
+    if: github.event_name == 'schedule' && needs.BuildAndScan.steps.cve-threshold.outcome == 'failure'
+    with:
+      CVE_CRITICAL: ${{needs.BuildAndScan.outputs.CVE_CRITICAL}}
+      CVE_HIGH: ${{needs.BuildAndScan.outputs.CVE_HIGH}}
+      CVE_MEDIUM: ${{needs.BuildAndScan.outputs.CVE_MEDIUM}}
+    secrets: inherit

.github/workflows/send-notification.yml

@@ -0,0 +1,50 @@
+name: "Send notification"
+
+on:
+  workflow_call:
+    inputs:
+      CVE_CRITICAL:
+        required: true
+        type: string
+      CVE_HIGH:
+        required: true
+        type: string
+      CVE_MEDIUM:
+        required: true
+        type: string
+    secrets:
+      CVE_SCAN_SLACK_WEBHOOK:
+        required: true
+
+jobs:
+  Notify:
+    name: Notify Slack
+    runs-on: ubuntu-latest
+    environment: prod
+    steps:
+      - name: Send notification to Slack
+        id: slack
+        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 #v1.24.0
+        with:
+          payload: |
+            {
+              "blocks": [
+                {
+                  "type": "header",
+                  "text": {
+                    "type": "plain_text",
+                    "text": "[ ${{ github.event.repository.name }} ]"
+                  }
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": " `CRITICAL` : *${{ inputs.CVE_CRITICAL }}*\n\n`HIGH` : *${{ inputs.CVE_HIGH }}*\n\n`MEDIUM` : *${{ inputs.CVE_MEDIUM }}*\n\n<https://github.com/${{ github.repository }}/security/code-scanning |See details on GitHub>"
+                  }
+                }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.CVE_SCAN_SLACK_WEBHOOK }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK