.github/workflows/vulnerability-scan.yml

name: vulnerability-scan-schedule
run-name: Scheduled CVE vulnerability scan of published images.
env:
  REGISTRY: ghcr.io
on:
  workflow_dispatch:
jobs:
  setup-matrix:
    runs-on: ubuntu-latest
    steps:
      - if: github.ref_name == '5.x'
        uses: druzsan/setup-matrix@v2
        with:
          matrix: |
            images: ${{ fromJson(vars.IMAGES) }}
            exclude:
              - images: mailpit
      - if: github.ref_name != '5.x'
        uses: druzsan/setup-matrix@v2
        with:
          matrix: |
            images: ${{ fromJson(vars.IMAGES) }}
      - id: setup-matrix
        run: echo "matrix=$MATRIX" >> $GITHUB_OUTPUT
    outputs:
        matrix: ${{ steps.setup-matrix.outputs.matrix }}
  vulnerability-scan-schedule:
    runs-on: ubuntu-latest
    needs: setup-matrix
    strategy:
      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.inputs.ref }}
      - name: Scan for vulnerabilities
        id: scan
        uses: crazy-max/ghaction-container-scan@v3
        with:
          image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:5.x
          annotations: true
          dockerfile: ./images/${{ matrix.images }}
      - name: Upload SARIF file
        if: ${{ steps.scan.outputs.sarif != '' }}
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}