Scheduled Vulnerability Scan #11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scheduled Vulnerability Scan | |
| on: | |
| schedule: | |
| - cron: '0 6 * * 1' | |
| workflow_dispatch: | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| scan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: read | |
| security-events: write | |
| issues: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest | |
| format: sarif | |
| output: trivy-results.sarif | |
| severity: CRITICAL,HIGH | |
| trivyignores: .trivyignore | |
| - name: Upload Trivy SARIF | |
| uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| - name: Check for critical vulnerabilities | |
| id: check | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest | |
| format: table | |
| output: trivy-results.txt | |
| severity: CRITICAL | |
| exit-code: '1' | |
| trivyignores: .trivyignore | |
| continue-on-error: true | |
| - name: Create issue on critical vulnerabilities | |
| if: steps.check.outcome == 'failure' | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| BODY="## Trivy Scan Results | |
| Critical vulnerabilities were detected in the \`latest\` image during the scheduled weekly scan. | |
| <details> | |
| <summary>Scan output</summary> | |
| \`\`\` | |
| $(cat trivy-results.txt) | |
| \`\`\` | |
| </details> | |
| Please review and update the base image or affected packages." | |
| gh issue create \ | |
| --title "Critical vulnerabilities found in latest image" \ | |
| --body "$BODY" \ | |
| --label "security" |