GitHub Actions: align summary order and add missing gem information (#461)

* github actions: use descendant order

It is useful to check the result of fluentd first.

Before:

debian -> ruby -> fluentd

After:

fluentd -> ruby -> debian

Signed-off-by: Kentaro Hayashi <hayashi@clear-code.com>

* github actions: show bundled gems

Show multi-versioned gems in (filter) and full
list in (details) section.

e.g.

  docker run --rm fluent/fluentd:v1.19.1-debian-amd64 gem list | grep ","
  json (2.13.2, default: 2.9.1)
  rexml (3.4.4, 3.4.0)

Signed-off-by: Kentaro Hayashi <hayashi@clear-code.com>

---------

Signed-off-by: Kentaro Hayashi <hayashi@clear-code.com>

Author: kenhys

.github/workflows/scan-images.yml

@@ -11,21 +11,38 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  debian:
-    name: Scan debian image with grype
+  gem:
+    name: Show bundled gems
     strategy:
       fail-fast: false
     runs-on: ubuntu-latest
     steps:
-      - name: Pull and scan upstream trixie image
+      - uses: actions/checkout@v6
+      - name: Show bundled gems in Fluentd image
         run: |
-          docker pull debian:trixie
-          echo "# Scan debian image with grype (filter)" >> $GITHUB_STEP_SUMMARY
-          docker run --rm anchore/grype:latest debian:trixie --ignore-states wont-fix | grep -v Negligible >> $GITHUB_STEP_SUMMARY
-          echo "# Scan debian image with grype (details)" >> $GITHUB_STEP_SUMMARY
+          # v1.19.1-debian-amd64
+          IMAGE=$(make echo-all-images | cut -d' ' -f1|cut -d',' -f3)
+          echo "# Show bundled gems in Fluentd image (filter)" >> $GITHUB_STEP_SUMMARY
+          docker run --rm fluent/fluentd:$IMAGE gem list | grep "," >> $GITHUB_STEP_SUMMARY
+          echo "# Show all bundled gems in Fluentd image (details)" >> $GITHUB_STEP_SUMMARY
+          docker run --rm fluent/fluentd:$IMAGE gem list >> $GITHUB_STEP_SUMMARY
+  fluentd:
+    name: Scan Fluentd image with grype
+    strategy:
+      fail-fast: false
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Pull and scan Fluentd image
+        run: |
+          # v1.19.1-debian-amd64
+          IMAGE=$(make echo-all-images | cut -d' ' -f1|cut -d',' -f3)
+          echo "# Scan Fluentd image with grype (filter)" >> $GITHUB_STEP_SUMMARY
+          docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE --ignore-states wont-fix | grep -v Negligible >> $GITHUB_STEP_SUMMARY
+          echo "# Scan Fluentd image with grype (details)" >> $GITHUB_STEP_SUMMARY
           echo "|NAME | INSTALLED | FIXED | IN | TYPE | VULNERABILITY | SEVERITY | EPSS | RISK | |" >> $GITHUB_STEP_SUMMARY
           echo "|---| ---|---|---|----|---|---|---|---|---|" >> $GITHUB_STEP_SUMMARY
-          docker run --rm anchore/grype:latest debian:trixie | sed -e "s/won't fix/won'tfix/g" | grep -v "^NAME" | sed 's/^/|/; s/  */ | /g; s/$/ |/' >> $GITHUB_STEP_SUMMARY
+          docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE | sed -e "s/won't fix/won'tfix/g" | grep -v "^NAME" | sed 's/^/|/; s/  */ | /g; s/$/ |/' >> $GITHUB_STEP_SUMMARY
   ruby:
     name: Scan Ruby image with grype
     strategy:
@@ -41,20 +58,18 @@ jobs:
           echo "|NAME | INSTALLED | FIXED | IN | TYPE | VULNERABILITY | SEVERITY | EPSS | RISK | |" >> $GITHUB_STEP_SUMMARY
           echo "|---| ---|---|---|----|---|---|---|---|---|" >> $GITHUB_STEP_SUMMARY
           docker run --rm anchore/grype:latest ruby:3.4-slim | sed -e "s/won't fix/won'tfix/g" | grep -v "^NAME" | sed 's/^/|/; s/  */ | /g; s/$/ |/' >> $GITHUB_STEP_SUMMARY
-  fluentd:
-    name: Scan Fluentd image with grype
+  debian:
+    name: Scan debian image with grype
     strategy:
       fail-fast: false
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - name: Pull and scan Fluentd image
+      - name: Pull and scan upstream trixie image
         run: |
-          # v1.19.1-debian-amd64
-          IMAGE=$(make echo-all-images | cut -d' ' -f1|cut -d',' -f3)
-          echo "# Scan Fluentd image with grype (filter)" >> $GITHUB_STEP_SUMMARY
-          docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE --ignore-states wont-fix | grep -v Negligible >> $GITHUB_STEP_SUMMARY
-          echo "# Scan Fluentd image with grype (details)" >> $GITHUB_STEP_SUMMARY
+          docker pull debian:trixie
+          echo "# Scan debian image with grype (filter)" >> $GITHUB_STEP_SUMMARY
+          docker run --rm anchore/grype:latest debian:trixie --ignore-states wont-fix | grep -v Negligible >> $GITHUB_STEP_SUMMARY
+          echo "# Scan debian image with grype (details)" >> $GITHUB_STEP_SUMMARY
           echo "|NAME | INSTALLED | FIXED | IN | TYPE | VULNERABILITY | SEVERITY | EPSS | RISK | |" >> $GITHUB_STEP_SUMMARY
           echo "|---| ---|---|---|----|---|---|---|---|---|" >> $GITHUB_STEP_SUMMARY
-          docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE | sed -e "s/won't fix/won'tfix/g" | grep -v "^NAME" | sed 's/^/|/; s/  */ | /g; s/$/ |/' >> $GITHUB_STEP_SUMMARY
+          docker run --rm anchore/grype:latest debian:trixie | sed -e "s/won't fix/won'tfix/g" | grep -v "^NAME" | sed 's/^/|/; s/  */ | /g; s/$/ |/' >> $GITHUB_STEP_SUMMARY