Fix image push condition

Author: seunghun1ee

.github/workflows/stackhpc-container-image-build.yml

@@ -39,7 +39,7 @@ on:
         required: false
         default: true
       push-dirty:
-        description: Push scanned images that have vulnerabilities?
+        description: Push scanned images that have critical vulnerabilities?
         type: boolean
         required: false
         default: false
@@ -239,9 +239,16 @@ jobs:
         run: cp image-build-logs/image-scan-output/clean-images.txt image-build-logs/push-attempt-images.txt
         if: inputs.push
 
+      # NOTE(seunghun1ee): This always appends dirty images with CVEs severity lower than critical.
+      # This should be reverted when it's decided to filter high level CVEs as well.
       - name: Append dirty images to push list
         run: |
           cat image-build-logs/image-scan-output/dirty-images.txt >> image-build-logs/push-attempt-images.txt
+        if: ${{ inputs.push }}
+
+      - name: Append images with critical vulnerabilities to push list
+        run: |
+          cat image-build-logs/image-scan-output/critical-images.txt >> image-build-logs/push-attempt-images.txt
         if: ${{ inputs.push && inputs.push-dirty }}
 
       - name: Push images

tools/scan-images.sh

@@ -51,8 +51,6 @@ for image in $images; do
     # Add the image to the clean list
     echo "${image}" >> image-scan-output/clean-images.txt
   else
-    # Add the image to the dirty list
-    echo "${image}" >> image-scan-output/dirty-images.txt
 
     # Write a header for the summary CSV
     echo '"PkgName","PkgPath","PkgID","VulnerabilityID","FixedVersion","PrimaryURL","Severity"' > image-scan-output/${filename}.summary.csv
@@ -81,6 +79,9 @@ for image in $images; do
     if [ $(grep "CRITICAL" image-scan-output/${filename}.summary.csv -c) -gt 0 ]; then
       # If the image contains critical vulnerabilities, add the image to critical list
       echo "${image}" >> image-scan-output/critical-images.txt
+    else
+      # Otherwise, add the image to the dirty list
+      echo "${image}" >> image-scan-output/dirty-images.txt
     fi
   fi
 done