fix: add better error message to docker-scan and code-scan workflows

LillieEntur · LillieEntur · commit 57ad0ca5733e · 2025-01-10T12:57:56.000+01:00
diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
@@ -658,24 +658,34 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
+        set +e # Do not exit if a command fails
         get_alerts () {
           alerts="$(gh api \
           --method GET \
           -H 'Accept: application/vnd.github+json' \
           -H 'X-GitHub-Api-Version: 2022-11-28' \
           /repos/${GITHUB_REPOSITORY}/code-scanning/alerts \
           -F severity="$1" -F state='open' -F ref='${{ github.ref }}' -F per_page='100' -F tool_name="$2" --paginate)"
+          alerts_exit_code=$? # Save exit code from gh api command
         }
         get_alerts "error" "Semgrep OSS"
         semgrep_alerts=$alerts
         
         get_alerts "critical" "CodeQL"
         codeql_alerts=$alerts
         
-        if [ "$semgrep_alerts" == "[]" ] && [ "$codeql_alerts" == "[]" ]; then
-          echo 'GHA_SECURITY_CODE_SCAN_CREATE_ALERT_COMMENT='False >> $GITHUB_ENV
+        if [ $alerts_exit_code != 0 ]; then
+            echo "Failed to get alerts from Github. The previous upload vulnerability report step might have failed to be processed/uploaded. Try running the job again"
+            echo '## Code Scan - Failed to get alerts.
+            Upload vulnerability report step might have failed to be processed/uploaded.
+            Try running the job again' >> $GITHUB_STEP_SUMMARY
+            exit 1
         else
-          echo 'GHA_SECURITY_CODE_SCAN_CREATE_ALERT_COMMENT='True >> $GITHUB_ENV
+          if [ "$semgrep_alerts" == "[]" ] && [ "$codeql_alerts" == "[]" ]; then
+            echo 'GHA_SECURITY_CODE_SCAN_CREATE_ALERT_COMMENT='False >> $GITHUB_ENV
+          else
+            echo 'GHA_SECURITY_CODE_SCAN_CREATE_ALERT_COMMENT='True >> $GITHUB_ENV
+          fi
         fi
 
     - name: "Print to job summary if critical alerts are found"
diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml
@@ -251,17 +251,27 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          set +e # Do not exit if a command fails
           alerts="$(gh api \
             --method GET \
             -H 'Accept: application/vnd.github+json' \
             -H 'X-GitHub-Api-Version: 2022-11-28' \
             /repos/${GITHUB_REPOSITORY}/code-scanning/alerts \
             -F severity='critical' -F state='open' -F ref='${{ github.ref }}' -F per_page='100' -F tool_name='Grype' --paginate)"
+            
+          if [ $? != 0 ]; then
+            echo "Failed to get alerts from Github. The previous upload vulnerability report step might have failed to be processed/uploaded. Try running the job again"
+            echo '## Docker Scan - Failed to get alerts.
+            Upload vulnerability report step failed to be processed/uploaded.
+            Try running the job again' >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
             if [ "$alerts" == "[]" ]; then
               echo 'GHA_SECURITY_DOCKER_SCAN_CREATE_ALERT_COMMENT='False >> $GITHUB_ENV
             else
               echo 'GHA_SECURITY_DOCKER_SCAN_CREATE_ALERT_COMMENT='True >> $GITHUB_ENV
             fi
+          fi
       - name: "Print to job summary if critical alerts are found"
         if: ${{ env.GHA_SECURITY_DOCKER_SCAN_CREATE_ALERT_COMMENT == 'True' }}
         env:
