ci: compare cves to main (#2448)

## Description

This would add a compare CVEs to main workflow to replace the "analyze
cves" which currently runs on PRs. This new workflow would only fail on
PRs is new CVE's were added rather than always failing if CVE's exist in
the PR.

Assuming we want to move forward with this we would need to add some
extra signal for ourselves to notify us when we do have CVEs on PRs.
Maybe a status icon on the repo? Maybe emails? Maybe auto opened issues
? Github security also opens up alerts though those don't take into
account the .grype.yaml so there is more noise

---------

Co-authored-by: razzle <razzle@defenseunicorns.com>

.github/workflows/compare-cves.yml

@@ -0,0 +1,33 @@
+name: Compare CVEs to main
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    paths:
+      - "go.mod"
+      - "go.sum"
+      - "cargo.toml"
+      - "cargo.lock"
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: ${{ github.head_ref || github.ref_name }}
+
+      - name: fetch main
+        run: git fetch origin main --depth 1
+
+      - name: Setup golang
+        uses: ./.github/actions/golang
+
+      - name: Install tools
+        uses: ./.github/actions/install-tools
+
+      - name: Check for CVEs in Dependencies
+        run: "hack/check-vulnerabilities.sh"

.github/workflows/scan-cves.yml

@@ -6,12 +6,6 @@ permissions:
 on:
   schedule:
     - cron: "0 10 * * *"
-  pull_request:
-    paths:
-      - "go.mod"
-      - "go.sum"
-      - "cargo.toml"
-      - "cargo.lock"
 
 jobs:
   validate:

hack/check-vulnerabilities.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+MAIN_BRANCH="main"
+TARGET_BRANCH=$(git rev-parse --abbrev-ref HEAD)
+echo "target branch is $TARGET_BRANCH"
+
+mkdir -p build
+
+git checkout $MAIN_BRANCH
+go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' > build/main-syft.json
+
+git checkout $TARGET_BRANCH
+cat build/main-syft.json | grype -o template -t hack/compare.tmpl > build/main.json
+go run main.go tools sbom scan . -o json --exclude './site' --exclude './examples' | grype -o template -t hack/compare.tmpl > build/target.json
+
+
+result=$(jq --slurp '.[0] - .[1]' build/target.json build/main.json | jq '[.[] | select(.severity != "Low" and .severity != "Medium")]')
+
+echo "CVEs on $MAIN_BRANCH are $(cat build/main.json | jq )"
+echo "CVEs on $TARGET_BRANCH are $(cat build/target.json | jq)"
+
+if [[ "$result" == "[]" ]]; then
+  echo "no new vulnerabilities on $TARGET_BRANCH"
+  exit 0
+else
+  echo "new CVEs have been added with IDs $result"
+  exit 1
+fi

hack/compare.tmpl

@@ -0,0 +1,7 @@
+[
+  {{- $length := len .Matches -}}
+  {{- range $index, $match := .Matches -}}
+  { "id": "{{$match.Vulnerability.ID}}", "severity": "{{$match.Vulnerability.Severity}}" }
+  {{ if lt (add $index 1) $length }},{{ end }}
+  {{- end -}}
+]