Skip to content

Daily vulnerability scan #422

Daily vulnerability scan

Daily vulnerability scan #422

name: Daily vulnerability scan
on:
workflow_dispatch:
schedule:
- cron: "43 14 * * *"
jobs:
build-and-publish-result-to-ghcr:
# Explicitly grant the `secrets.GITHUB_TOKEN` permissions.
permissions:
packages: read
# Needed to upload the code scanning results to code-scanning dashboard.
security-events: write
name: Build container images
runs-on: ubuntu-latest
steps:
- name: Checkout main
uses: actions/[email protected]
with:
fetch-depth: 0
- name: Detect latest release
id: generate-container-name
run: |
echo "latest_version=ghcr.io/richardoc/kube-audit-rest:$(git tag --sort=-version:refname | head -n1)" >> "$GITHUB_OUTPUT"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
# This is the user that triggered the Workflow. In this case, it will
# either be the user whom created the Release or manually triggered
# the workflow_dispatch.
username: ${{ github.actor }}
# `secrets.GITHUB_TOKEN` is a secret that's automatically generated by
# GitHub Actions at the start of a workflow run to identify the job.
# This is used to authenticate against GitHub Container Registry.
# See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret
# for more detailed information.
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run Trivy vulnerability scanner for distroless container
uses: aquasecurity/[email protected]
with:
image-ref: '${{ steps.generate-container-name.outputs.latest_version }}-distroless'
scan-ref: "daily scan - ${{ steps.generate-container-name.outputs.latest_version }}-distroless"
format: 'sarif'
output: 'distroless-results.sarif'
github-pat: '${{ secrets.GITHUB_TOKEN }}'
- name: Upload Trivy distroless scan results to GitHub Security tab
uses: github/codeql-action/[email protected]
with:
sarif_file: 'distroless-results.sarif'
category: 'daily-trivy-distroless-AMD64-release'
- name: Run Trivy vulnerability scanner for alpine container
uses: aquasecurity/[email protected]
with:
image-ref: '${{ steps.generate-container-name.outputs.latest_version }}-alpine'
scan-ref: "daily scan - ${{ steps.generate-container-name.outputs.latest_version }}-alpine"
format: 'sarif'
output: 'alpine-results.sarif'
github-pat: '${{ secrets.GITHUB_TOKEN }}'
- name: Upload Trivy alpine scan results to GitHub Security tab
uses: github/codeql-action/[email protected]
with:
sarif_file: 'alpine-results.sarif'
category: 'daily-trivy-alpine-AMD64-on-latest-release'
static-scan-with-trivy:
# Explicitly grant the `secrets.GITHUB_TOKEN` permissions.
permissions:
packages: read
# Needed to upload the code scanning results to code-scanning dashboard.
security-events: write
# Needed to upload dependency graph
contents: write
name: Run trivy on the repo
runs-on: ubuntu-latest
steps:
- name: Checkout main
uses: actions/[email protected]
with:
fetch-depth: 0
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'repo-results.sarif'
github-pat: '${{ secrets.GITHUB_TOKEN }}'
- name: Upload Trivy repo scan results to GitHub Security tab
uses: github/codeql-action/[email protected]
with:
sarif_file: 'repo-results.sarif'
category: 'daily-trivy-repo'
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
image-ref: '.'
github-pat: ${{ secrets.GITHUB_TOKEN }}