-
Notifications
You must be signed in to change notification settings - Fork 78
85 lines (81 loc) · 2.65 KB
/
cron-scan-images-daily.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
name: cron-scan-images-daily
on:
schedule:
- cron: "0 16 * * *"
workflow_dispatch: {}
jobs:
build-matrix:
runs-on: ubuntu-20.04
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/setup-node@v4
- uses: actions/checkout@v4
- name: Install dependencies
working-directory: ./bin/scan-images/
run: npm install
- id: set-matrix
name: Build image matrix
run: |
echo "matrix<<EOF" >> "$GITHUB_OUTPUT"
./bin/scan-images/matrix.js >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
scan-images:
name: ${{ matrix.addon }}:${{ matrix.version }} - ${{ matrix.name }}
needs: build-matrix
runs-on: ubuntu-20.04
strategy:
matrix: ${{ fromJSON(needs.build-matrix.outputs.matrix) }}
fail-fast: false
max-parallel: 5
steps:
- name: "Write Trivy ignore file"
run: if [ -n '${{ matrix.trivyignore }}' ]; then echo '${{ matrix.trivyignore }}' | base64 -d > .trivyignore.rego ; fi
- name: "Generate artifact"
id: trivy
uses: aquasecurity/[email protected]
continue-on-error: ${{ ! matrix.maintainer }}
with:
image-ref: ${{ matrix.image }}
vuln-type: 'os'
format: 'json'
output: 'trivy.json'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
ignore-policy: ${{ matrix.trivyignore && '.trivyignore.rego' }}
exit-code: '1'
- name: "Upload artifact"
uses: actions/upload-artifact@v4
if: ${{ always() && steps.trivy.outcome == 'failure' }}
with:
name: ${{ matrix.addon }}-${{ matrix.version }}-${{ matrix.name }}
path: trivy.json
- name: "Display results"
uses: aquasecurity/[email protected]
if: ${{ always() && steps.trivy.outcome == 'failure' }}
continue-on-error: ${{ ! matrix.maintainer }}
with:
image-ref: ${{ matrix.image }}
vuln-type: 'os'
format: 'table'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
ignore-policy: ${{ matrix.trivyignore && '.trivyignore.rego' }}
exit-code: '1'
collect-results:
needs: scan-images
runs-on: ubuntu-20.04
if: ${{ failure() }}
steps:
- name: Download artifacts
uses: actions/download-artifact@v4
with:
path: scan-results/
- name: Collect results
run: |
jq -s '.' scan-results/*/trivy.json > trivy.json
- name: "Upload artifact"
uses: actions/upload-artifact@v4
with:
name: trivy results
path: trivy.json