Skip to content

Scheduled Trivy Scan #1020

Scheduled Trivy Scan

Scheduled Trivy Scan #1020

Workflow file for this run

# Copyright 2021, 2024 Oracle Corporation and/or its affiliates.
# Licensed under the Universal Permissive License v 1.0 as shown at
# https://oss.oracle.com/licenses/upl.
# ---------------------------------------------------------------------------
# Coherence CLI GitHub Actions Scheduled Trivy Scan.
# ---------------------------------------------------------------------------
name: Scheduled Trivy Scan
on:
workflow_dispatch:
push:
branches-ignore:
- gh-pages
schedule:
# Every day at midnight
- cron: '0 0 * * *'
jobs:
build:
runs-on: ubuntu-latest
# Checkout the source, we need a depth of zero to fetch all of the history otherwise
# the copyright check cannot work out the date of the files from Git.
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup oras
run: |
VERSION="1.2.0"
curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
mkdir -p oras-install/
tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
sudo mv oras-install/oras /usr/local/bin/
rm -rf oras_${VERSION}_*.tar.gz oras-install/
- name: Get current date
id: date
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
- name: Download and extract the vulnerability DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
oras pull ghcr.io/aquasecurity/trivy-db:2
tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
rm db.tar.gz
- name: Download and extract the Java DB
run: |
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
oras pull ghcr.io/aquasecurity/trivy-java-db:1
tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
rm javadb.tar.gz
- name: Trivy Scan
shell: bash
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
export TRIVY_CACHE=$GITHUB_WORKSPACE/.cache/trivy
make trivy-scan