Skip to content

cron-scan-images-daily #344

cron-scan-images-daily

cron-scan-images-daily #344

name: cron-scan-images-daily
on:
schedule:
- cron: "0 16 * * *"
workflow_dispatch: {}
jobs:
build-matrix:
runs-on: ubuntu-20.04
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/setup-node@v3
- uses: actions/checkout@v4
- name: Install dependencies
working-directory: ./bin/scan-images/
run: npm install
- id: set-matrix
name: Build image matrix
run: |
echo "matrix<<EOF" >> "$GITHUB_OUTPUT"
./bin/scan-images/matrix.js >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
scan-images:
name: ${{ matrix.addon }}:${{ matrix.version }} - ${{ matrix.name }}
needs: build-matrix
runs-on: ubuntu-20.04
strategy:
matrix: ${{ fromJSON(needs.build-matrix.outputs.matrix) }}
fail-fast: false
max-parallel: 5
steps:
- name: "Write Trivy ignore file"
run: if [ -n '${{ matrix.trivyignore }}' ]; then echo '${{ matrix.trivyignore }}' | base64 -d > .trivyignore.rego ; fi
- name: "Generate artifact"
id: trivy
uses: aquasecurity/[email protected]
continue-on-error: ${{ ! matrix.maintainer }}
with:
image-ref: ${{ matrix.image }}
vuln-type: 'os'
format: 'json'
output: 'trivy.json'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
ignore-policy: ${{ matrix.trivyignore && '.trivyignore.rego' }}
exit-code: '1'
- name: "Upload artifact"
uses: actions/upload-artifact@v3
if: ${{ always() && steps.trivy.outcome == 'failure' }}
with:
name: ${{ matrix.addon }}-${{ matrix.version }}-${{ matrix.name }}
path: trivy.json
- name: "Display results"
uses: aquasecurity/[email protected]
if: ${{ always() && steps.trivy.outcome == 'failure' }}
continue-on-error: ${{ ! matrix.maintainer }}
with:
image-ref: ${{ matrix.image }}
vuln-type: 'os'
format: 'table'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
ignore-policy: ${{ matrix.trivyignore && '.trivyignore.rego' }}
exit-code: '1'
collect-results:
needs: scan-images
runs-on: ubuntu-20.04
if: ${{ failure() }}
steps:
- name: Download artifacts
uses: actions/download-artifact@v3
with:
path: scan-results/
- name: Collect results
run: |
jq -s '.' scan-results/*/trivy.json > trivy.json
- name: "Upload artifact"
uses: actions/upload-artifact@v3
with:
name: trivy results
path: trivy.json