[discussion] Should automatic vulnerability reports be enabled on_push?

[DnPlas]

Context

More context in #69, specifically in #69 (comment), but bringing the last discussion to this new issue so we can close that other one.

Discussion

Should automatic reports be enabled on_push? - Right now, most (if not all) rocks repositories are scanning images on_push and uploading the vulnerability reports, but:

• Those workflows will not fail even if a vulnerability is found
• The results of those scans are not monitored by the team

This can be solved by relying on the scheduled workflow, BUT, the scheduled workflow only scans and reports published images. On the other hand, not enabling this would ensure that the CI is always green and publishing images regardless of the vulnerabilities.

#74 shows an example of how this can be added and be left for us to enable it whenever we call get-rocks-modified-and-build-scan-test-publish.yaml in each of the rocks repositories. In this workflow run, the execution shows an example of the feature available, but disabled (as we are not passing the report-vulnerabilities: true to the workflow). On the other hand, this is an example run of the same workflow, but enabling the reports, as seen here. This would be what could happen on_push if we decide that it is worth adding this.