Should automatic reports be enabled on_push? - Right now, most (if not all) rocks repositories are scanning images on_push and uploading the vulnerability reports, but:
Those workflows will not fail even if a vulnerability is found
The results of those scans are not monitored by the team
This can be solved by relying on the scheduled workflow, BUT, the scheduled workflow only scans and reports published images. On the other hand, not enabling this would ensure that the CI is always green and publishing images regardless of the vulnerabilities.
https://github.com/canonical/charmed-kubeflow-workflows/pull/74 shows an example of how this can be added and be left for us to enable it whenever we call get-rocks-modified-and-build-scan-test-publish.yaml in each of the rocks repositories. In this workflow run, the execution shows an example of the feature available, but disabled (as we are not passing the report-vulnerabilities: true to the workflow). On the other hand, this is an example run of the same workflow, but enabling the reports, as seen here. This would be what could happen on_push if we decide that it is worth adding this.
Context
More context in #69, specifically in https://github.com/canonical/charmed-kubeflow-workflows/issues/69#issuecomment-2401145286, but bringing the last discussion to this new issue so we can close that other one.
Discussion
Should automatic reports be enabled
on_push? - Right now, most (if not all) rocks repositories are scanning imageson_pushand uploading the vulnerability reports, but:This can be solved by relying on the scheduled workflow, BUT, the scheduled workflow only scans and reports published images. On the other hand, not enabling this would ensure that the CI is always green and publishing images regardless of the vulnerabilities.
https://github.com/canonical/charmed-kubeflow-workflows/pull/74 shows an example of how this can be added and be left for us to enable it whenever we call
get-rocks-modified-and-build-scan-test-publish.yamlin each of the rocks repositories. In this workflow run, the execution shows an example of the feature available, but disabled (as we are not passing thereport-vulnerabilities: trueto the workflow). On the other hand, this is an example run of the same workflow, but enabling the reports, as seen here. This would be what could happenon_pushif we decide that it is worth adding this.