From f51bfe5908f44bdb4ca7afd5457231400d0bfdc2 Mon Sep 17 00:00:00 2001
From: John Osborne <johnfosborneiii@gmail.com>
Date: Thu, 21 Nov 2024 15:21:37 -0500
Subject: [PATCH] Update updates.yaml

Signed-off-by: John Osborne <johnfosborneiii@gmail.com>
---
 .github/workflows/updates.yaml | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/updates.yaml b/.github/workflows/updates.yaml
index a2a0a5b..4b48838 100644
--- a/.github/workflows/updates.yaml
+++ b/.github/workflows/updates.yaml
@@ -78,14 +78,28 @@ jobs:
             echo "UNIQUE_TAGS_CHANGED=false" >> $GITHUB_ENV
           fi
 
-      - name: Run chainctl images diff
+      - name: Cosign Verify 
         if: env.UNIQUE_TAGS_CHANGED == 'true'
-        id: diff_vulnerabilities
+        id: cosign-verify
         run: |
           OLD_IMAGE="${{ env.REDIS_IMAGE }}:${{ env.CURRENT_UNIQUE_TAG }}"
           NEW_IMAGE="${{ env.REDIS_IMAGE }}:${{ env.LATEST_UNIQUE_TAG }}"
+          
+          cosign verify \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity=https://github.com/chainguard-images/images-private/.github/workflows/release.yaml@refs/heads/main \
+          $NEW_IMAGE | jq
+          
+          echo "OLD_IMAGE=$OLD_IMAGE" >> $GITHUB_ENV
+          echo "NEW_IMAGE=$NEW_IMAGE" >> $GITHUB_ENV
+        continue-on-error: false
+        
+      - name: Run chainctl images diff
+        if: env.UNIQUE_TAGS_CHANGED == 'true'
+        id: diff_vulnerabilities
+        run: |
 
-          CVE_LIST_JSON=$(chainctl images diff $OLD_IMAGE $NEW_IMAGE 2>/dev/null | jq -c '[.vulnerabilities.removed[] | select(.severity == "Critical" or .severity == "High") | .id]')
+          CVE_LIST_JSON=$(chainctl images diff "${{ OLD_IMAGE }}" "${{ NEW_IMAGE }}" 2>/dev/null | jq -c '[.vulnerabilities.removed[] | select(.severity == "Critical" or .severity == "High") | .id]')
           echo "CVE_LIST=$CVE_LIST_JSON" >> $GITHUB_ENV
 
           if [ -n "$CVE_LIST_JSON" ]; then
@@ -96,6 +110,15 @@ jobs:
             echo "FIX_CVE=false" >> $GITHUB_ENV
           fi
     
+      - name: Scan New Image with Grype
+        run: |
+          grype $NEW_IMAGE -o sarif > grype-results.sarif
+
+      - name: Upload SARIF results
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: grype-results.sarif
+      
       - env:
           GITHUB_TOKEN: ${{ steps.octo-sts.outputs.token }}
         run: |