Skip to content

container security scan #1

container security scan

container security scan #1

name: container security scan
on:
workflow_dispatch:
inputs:
tag:
description: 'Container image tag'
required: false
default: 'develop'
schedule:
# Start of the hour is the busy time. Scheule it to run 8:17am UTC
- cron: '17 8 * * *'
jobs:
scan-sarif:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
# Shell parameter expansion does not support directly on a step
# Adding a separate step to set the image tag. This allows running
# this workflow with a schedule as well as manual
- name: Set image tag
id: tag
run: |
echo "TAG=${INPUT_TAG:-develop}" >> "$GITHUB_OUTPUT"
env:
INPUT_TAG: ${{ inputs.tag }}
- name: Vulnerability scanner
id: trivy
uses: aquasecurity/[email protected]
with:
image-ref: hyperledger/besu:${{ steps.tag.outputs.TAG }}
format: sarif
output: 'trivy-results.sarif'
# Check the vulnerabilities via GitHub security tab
- name: Upload results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'