Scheduled Trivy Scan #1020
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright 2021, 2024 Oracle Corporation and/or its affiliates. | |
# Licensed under the Universal Permissive License v 1.0 as shown at | |
# https://oss.oracle.com/licenses/upl. | |
# --------------------------------------------------------------------------- | |
# Coherence CLI GitHub Actions Scheduled Trivy Scan. | |
# --------------------------------------------------------------------------- | |
name: Scheduled Trivy Scan | |
on: | |
workflow_dispatch: | |
push: | |
branches-ignore: | |
- gh-pages | |
schedule: | |
# Every day at midnight | |
- cron: '0 0 * * *' | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
# Checkout the source, we need a depth of zero to fetch all of the history otherwise | |
# the copyright check cannot work out the date of the files from Git. | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Setup oras | |
run: | | |
VERSION="1.2.0" | |
curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz" | |
mkdir -p oras-install/ | |
tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/ | |
sudo mv oras-install/oras /usr/local/bin/ | |
rm -rf oras_${VERSION}_*.tar.gz oras-install/ | |
- name: Get current date | |
id: date | |
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT | |
- name: Download and extract the vulnerability DB | |
run: | | |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db | |
oras pull ghcr.io/aquasecurity/trivy-db:2 | |
tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db | |
rm db.tar.gz | |
- name: Download and extract the Java DB | |
run: | | |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db | |
oras pull ghcr.io/aquasecurity/trivy-java-db:1 | |
tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db | |
rm javadb.tar.gz | |
- name: Trivy Scan | |
shell: bash | |
run: | | |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin | |
export TRIVY_CACHE=$GITHUB_WORKSPACE/.cache/trivy | |
make trivy-scan |