Skip to content

Scheduled Vulnerability Scan #11

Scheduled Vulnerability Scan

Scheduled Vulnerability Scan #11

name: Scheduled Vulnerability Scan
on:
schedule:
- cron: '0 6 * * 1'
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
security-events: write
issues: write
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
trivyignores: .trivyignore
- name: Upload Trivy SARIF
uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
with:
sarif_file: trivy-results.sarif
- name: Check for critical vulnerabilities
id: check
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
format: table
output: trivy-results.txt
severity: CRITICAL
exit-code: '1'
trivyignores: .trivyignore
continue-on-error: true
- name: Create issue on critical vulnerabilities
if: steps.check.outcome == 'failure'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
BODY="## Trivy Scan Results
Critical vulnerabilities were detected in the \`latest\` image during the scheduled weekly scan.
<details>
<summary>Scan output</summary>
\`\`\`
$(cat trivy-results.txt)
\`\`\`
</details>
Please review and update the base image or affected packages."
gh issue create \
--title "Critical vulnerabilities found in latest image" \
--body "$BODY" \
--label "security"