.github/workflows/cron-scan-images-daily.yaml

name: cron-scan-images-daily

on:
  schedule:
    - cron: "0 16 * * *"
  workflow_dispatch: {}

jobs:
  build-matrix:
    runs-on: ubuntu-20.04
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
      - uses: actions/setup-node@v3
      - uses: actions/checkout@v4
      - name: Install dependencies
        working-directory: ./bin/scan-images/
        run: npm install
      - id: set-matrix
        name: Build image matrix
        run: |
          echo "matrix<<EOF" >> "$GITHUB_OUTPUT"
          ./bin/scan-images/matrix.js >> "$GITHUB_OUTPUT"
          echo "EOF" >> "$GITHUB_OUTPUT"

  scan-images:
    name: ${{ matrix.addon }}:${{ matrix.version }} - ${{ matrix.name }}
    needs: build-matrix
    runs-on: ubuntu-20.04
    strategy:
      matrix: ${{ fromJSON(needs.build-matrix.outputs.matrix) }}
      fail-fast: false
      max-parallel: 5
    steps:
      - name: "Write Trivy ignore file"
        run: if [ -n '${{ matrix.trivyignore }}' ]; then echo '${{ matrix.trivyignore }}' | base64 -d > .trivyignore.rego ; fi
      - name: "Generate artifact"
        id: trivy
        uses: aquasecurity/trivy-action@0.12.0
        continue-on-error: ${{ ! matrix.maintainer }}
        with:
          image-ref: ${{ matrix.image }}
          vuln-type: 'os'
          format: 'json'
          output: 'trivy.json'
          severity: 'CRITICAL,HIGH'
          ignore-unfixed: true
          ignore-policy: ${{ matrix.trivyignore && '.trivyignore.rego' }}
          exit-code: '1'
      - name: "Upload artifact"
        uses: actions/upload-artifact@v3
        if: ${{ always() && steps.trivy.outcome == 'failure' }}
        with:
          name: ${{ matrix.addon }}-${{ matrix.version }}-${{ matrix.name }}
          path: trivy.json
      - name: "Display results"
        uses: aquasecurity/trivy-action@0.12.0
        if: ${{ always() && steps.trivy.outcome == 'failure' }}
        continue-on-error: ${{ ! matrix.maintainer }}
        with:
          image-ref: ${{ matrix.image }}
          vuln-type: 'os'
          format: 'table'
          severity: 'CRITICAL,HIGH'
          ignore-unfixed: true
          ignore-policy: ${{ matrix.trivyignore && '.trivyignore.rego' }}
          exit-code: '1'

  collect-results:
    needs: scan-images
    runs-on: ubuntu-20.04
    if: ${{ failure() }}
    steps:
      - name: Download artifacts
        uses: actions/download-artifact@v3
        with:
          path: scan-results/
      - name: Collect results
        run: |
          jq -s '.' scan-results/*/trivy.json > trivy.json
      - name: "Upload artifact"
        uses: actions/upload-artifact@v3
        with:
          name: trivy results
          path: trivy.json