From f80e51b3381b7d1c1d855445574dcb290854ac22 Mon Sep 17 00:00:00 2001
From: Lillie Rugtveit <126776478+LillieEntur@users.noreply.github.com>
Date: Mon, 13 Jan 2025 10:24:22 +0100
Subject: [PATCH] fix: add better error message to docker-scan and code-scan
 workflows (#69)

---
 .github/workflows/code-scan.yml   | 16 +++++++++++++---
 .github/workflows/docker-scan.yml | 10 ++++++++++
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
index 430d832..f3261d7 100644
--- a/.github/workflows/code-scan.yml
+++ b/.github/workflows/code-scan.yml
@@ -658,6 +658,7 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
+        set +e # Do not exit if a command fails
         get_alerts () {
           alerts="$(gh api \
           --method GET \
@@ -665,6 +666,7 @@ jobs:
           -H 'X-GitHub-Api-Version: 2022-11-28' \
           /repos/${GITHUB_REPOSITORY}/code-scanning/alerts \
           -F severity="$1" -F state='open' -F ref='${{ github.ref }}' -F per_page='100' -F tool_name="$2" --paginate)"
+          alerts_exit_code=$? # Save exit code from gh api command
         }
         get_alerts "error" "Semgrep OSS"
         semgrep_alerts=$alerts
@@ -672,10 +674,18 @@ jobs:
         get_alerts "critical" "CodeQL"
         codeql_alerts=$alerts
         
-        if [ "$semgrep_alerts" == "[]" ] && [ "$codeql_alerts" == "[]" ]; then
-          echo 'GHA_SECURITY_CODE_SCAN_CREATE_ALERT_COMMENT='False >> $GITHUB_ENV
+        if [ $alerts_exit_code != 0 ]; then
+            echo "Failed to get alerts from Github. The previous upload vulnerability report step might have failed to be processed/uploaded. Try running the job again"
+            echo '## Code Scan - Failed to get alerts.
+            Upload vulnerability report step might have failed to be processed/uploaded.
+            Try running the job again' >> $GITHUB_STEP_SUMMARY
+            exit 1
         else
-          echo 'GHA_SECURITY_CODE_SCAN_CREATE_ALERT_COMMENT='True >> $GITHUB_ENV
+          if [ "$semgrep_alerts" == "[]" ] && [ "$codeql_alerts" == "[]" ]; then
+            echo 'GHA_SECURITY_CODE_SCAN_CREATE_ALERT_COMMENT='False >> $GITHUB_ENV
+          else
+            echo 'GHA_SECURITY_CODE_SCAN_CREATE_ALERT_COMMENT='True >> $GITHUB_ENV
+          fi
         fi
 
     - name: "Print to job summary if critical alerts are found"
diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml
index 6cb689c..4b625f4 100644
--- a/.github/workflows/docker-scan.yml
+++ b/.github/workflows/docker-scan.yml
@@ -251,17 +251,27 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          set +e # Do not exit if a command fails
           alerts="$(gh api \
             --method GET \
             -H 'Accept: application/vnd.github+json' \
             -H 'X-GitHub-Api-Version: 2022-11-28' \
             /repos/${GITHUB_REPOSITORY}/code-scanning/alerts \
             -F severity='critical' -F state='open' -F ref='${{ github.ref }}' -F per_page='100' -F tool_name='Grype' --paginate)"
+            
+          if [ $? != 0 ]; then
+            echo "Failed to get alerts from Github. The previous upload vulnerability report step might have failed to be processed/uploaded. Try running the job again"
+            echo '## Docker Scan - Failed to get alerts.
+            Upload vulnerability report step might have failed to be processed/uploaded.
+            Try running the job again' >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
             if [ "$alerts" == "[]" ]; then
               echo 'GHA_SECURITY_DOCKER_SCAN_CREATE_ALERT_COMMENT='False >> $GITHUB_ENV
             else
               echo 'GHA_SECURITY_DOCKER_SCAN_CREATE_ALERT_COMMENT='True >> $GITHUB_ENV
             fi
+          fi
       - name: "Print to job summary if critical alerts are found"
         if: ${{ env.GHA_SECURITY_DOCKER_SCAN_CREATE_ALERT_COMMENT == 'True' }}
         env: