Daily vulnerability scan #417
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Daily vulnerability scan | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: "43 14 * * *" | |
jobs: | |
build-and-publish-result-to-ghcr: | |
# Explicitly grant the `secrets.GITHUB_TOKEN` permissions. | |
permissions: | |
packages: read | |
# Needed to upload the code scanning results to code-scanning dashboard. | |
security-events: write | |
name: Build container images | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout main | |
uses: actions/[email protected] | |
with: | |
fetch-depth: 0 | |
- name: Detect latest release | |
id: generate-container-name | |
run: | | |
echo "latest_version=ghcr.io/richardoc/kube-audit-rest:$(git tag --sort=-version:refname | head -n1)" >> "$GITHUB_OUTPUT" | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
# This is the user that triggered the Workflow. In this case, it will | |
# either be the user whom created the Release or manually triggered | |
# the workflow_dispatch. | |
username: ${{ github.actor }} | |
# `secrets.GITHUB_TOKEN` is a secret that's automatically generated by | |
# GitHub Actions at the start of a workflow run to identify the job. | |
# This is used to authenticate against GitHub Container Registry. | |
# See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret | |
# for more detailed information. | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Run Trivy vulnerability scanner for distroless container | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: '${{ steps.generate-container-name.outputs.latest_version }}-distroless' | |
scan-ref: "daily scan - ${{ steps.generate-container-name.outputs.latest_version }}-distroless" | |
format: 'sarif' | |
output: 'distroless-results.sarif' | |
github-pat: '${{ secrets.GITHUB_TOKEN }}' | |
- name: Upload Trivy distroless scan results to GitHub Security tab | |
uses: github/codeql-action/[email protected] | |
with: | |
sarif_file: 'distroless-results.sarif' | |
category: 'daily-trivy-distroless-AMD64-release' | |
- name: Run Trivy vulnerability scanner for alpine container | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: '${{ steps.generate-container-name.outputs.latest_version }}-alpine' | |
scan-ref: "daily scan - ${{ steps.generate-container-name.outputs.latest_version }}-alpine" | |
format: 'sarif' | |
output: 'alpine-results.sarif' | |
github-pat: '${{ secrets.GITHUB_TOKEN }}' | |
- name: Upload Trivy alpine scan results to GitHub Security tab | |
uses: github/codeql-action/[email protected] | |
with: | |
sarif_file: 'alpine-results.sarif' | |
category: 'daily-trivy-alpine-AMD64-on-latest-release' | |
static-scan-with-trivy: | |
# Explicitly grant the `secrets.GITHUB_TOKEN` permissions. | |
permissions: | |
packages: read | |
# Needed to upload the code scanning results to code-scanning dashboard. | |
security-events: write | |
# Needed to upload dependency graph | |
contents: write | |
name: Run trivy on the repo | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout main | |
uses: actions/[email protected] | |
with: | |
fetch-depth: 0 | |
- name: Run Trivy vulnerability scanner in fs mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
scan-ref: '.' | |
format: 'sarif' | |
output: 'repo-results.sarif' | |
github-pat: '${{ secrets.GITHUB_TOKEN }}' | |
- name: Upload Trivy repo scan results to GitHub Security tab | |
uses: github/codeql-action/[email protected] | |
with: | |
sarif_file: 'repo-results.sarif' | |
category: 'daily-trivy-repo' | |
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
format: 'github' | |
output: 'dependency-results.sbom.json' | |
image-ref: '.' | |
github-pat: ${{ secrets.GITHUB_TOKEN }} |