Skip to content

Security Scan by @sbaerlocher #8

Security Scan by @sbaerlocher

Security Scan by @sbaerlocher #8

---
name: Nightly Security Scan
run-name: |
Security Scan by @${{ github.actor }}
"on":
schedule:
- cron: "0 2 * * *" # Daily 02:00 UTC (public repo — Actions minutes are free)
workflow_dispatch:
workflow_call:
inputs:
upload-sarif:
description: "Upload SARIF results to GitHub Code Scanning"
type: boolean
default: true
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false
permissions:
contents: read
security-events: write
jobs:
trivy:
name: Trivy Scan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
- name: Build image for scanning
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
with:
context: .
push: false
load: true
tags: ansible:scan
cache-from: type=registry,ref=ghcr.io/arillso/ansible-cache:latest
cache-to: type=gha,mode=max
provenance: false
sbom: false
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@v0.36.0
with:
image-ref: "ansible:scan"
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
# Upload unless a caller explicitly opts out. On schedule /
# workflow_dispatch there is no `inputs` context, so the bare
# `inputs.upload-sarif != false` evaluated false and silently
# skipped the upload — leaving Code Scanning stale. Skip only
# when a workflow_call caller passes upload-sarif: false.
if: ${{ always() && !(github.event_name == 'workflow_call' && inputs.upload-sarif == false) }}
with:
sarif_file: "trivy-results.sarif"
secrets:
name: Secret Scanning
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
fetch-depth: 0
- name: TruffleHog scan
uses: trufflesecurity/trufflehog@30d5bb91af1a771378349dbbb0c82129392acf70 # v3.95.6
with:
path: ./
base: ${{ github.event.pull_request.base.sha || 'HEAD~1' }}
head: HEAD
extra_args: --only-verified