Explore changing the exit-code on trivy scanners from 1 to something else

[DnPlas]

Context

The changes introduced by #73 set the exit code of the aquasecurity/trivy-action action to 1 to be able to know when a CVE is found. This is helpful for us because when the scan job ends in failure (*.scan.result == 'failure'), the next immediate job will report Github issues only when this is the case.

The limitations of this approach are:

1. Real failures in the scan job can be hidden, that is, the job ends in a non-zero exit code due to any issue, for example, the image to be scanned to not be found, or the action is malfunctioning.
2. The scan workflow is always shown as a failed run (red). This can be misleading if we look at the scan and see all red runs, we won't know when the scanners are actually doing their job or malfunctioning.

What needs to get done

1. Explore the option of using a different exit-code for the aquasecurity/trivy-action action
2. Capture the new exit code and add conditionals to the workflow so that:

• If the exit code is 123, for example, we know it comes from the CVE scanners, and the job should succeed
• If the exit code is something else, it means a real failure, and the job should fail

Definition of Done

There is enough information to make a decision to refactor the scan-from-dockerhub-report-issue.yaml and scan-from-published-image.yaml files by changing the exit code.

[syncronize-issues-to-jira]

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/KF-6437.

This message was autogenerated