From 0e2fcdb89f33393ee7100cf0c4147bc03a329a42 Mon Sep 17 00:00:00 2001 From: Guy Owen Date: Tue, 10 Sep 2024 17:46:20 +1000 Subject: [PATCH] Add scheduled scans of 5.x and 6.x images (#302) --- .../vulnerability-scan-schedule-5x.yml | 18 +++++++++++ .../vulnerability-scan-schedule-6x.yml | 18 +++++++++++ .github/workflows/vulnerability-scan.yml | 32 +++++++++++++------ 3 files changed, 59 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/vulnerability-scan-schedule-5x.yml create mode 100644 .github/workflows/vulnerability-scan-schedule-6x.yml diff --git a/.github/workflows/vulnerability-scan-schedule-5x.yml b/.github/workflows/vulnerability-scan-schedule-5x.yml new file mode 100644 index 00000000..43d21edd --- /dev/null +++ b/.github/workflows/vulnerability-scan-schedule-5x.yml @@ -0,0 +1,18 @@ +name: vulnerability-scan-schedule-5.x +run-name: Scheduled CVE vulnerability scan of 5.x published images. +env: + REGISTRY: ghcr.io +on: + schedule: + - cron: '0 22 * * 3' + workflow_dispatch: +jobs: + vulnerability-scan-schedule: + runs-on: ubuntu-latest + steps: + - name: Scan for vulnerabilities on 5.x images + id: scan + uses: dpc-sdp/bay/.github/workflows/vulnerability-scan.yml + with: + tag: 5.x + summary: "Trivy CVE scan of 5.x published images." \ No newline at end of file diff --git a/.github/workflows/vulnerability-scan-schedule-6x.yml b/.github/workflows/vulnerability-scan-schedule-6x.yml new file mode 100644 index 00000000..365b858c --- /dev/null +++ b/.github/workflows/vulnerability-scan-schedule-6x.yml @@ -0,0 +1,18 @@ +name: vulnerability-scan-schedule-6.x +run-name: Scheduled CVE vulnerability scan of 6.x published images. +env: + REGISTRY: ghcr.io +on: + schedule: + - cron: '2 22 * * 3' + workflow_dispatch: +jobs: + vulnerability-scan-schedule: + runs-on: ubuntu-latest + steps: + - name: Scan for vulnerabilities on 6.x images + id: scan + uses: dpc-sdp/bay/.github/workflows/vulnerability-scan.yml + with: + tag: 6.x + summary: "Trivy CVE scan of 6.x published images." \ No newline at end of file diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 84209f79..22af5b54 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -9,20 +9,24 @@ on: description: 'Summary of the scheduled scan.' required: false default: 'Trivy CVE scan of published images.' + tag: + description: 'Tag to scan.' + required: false + default: '6.x' jobs: setup-matrix: runs-on: ubuntu-latest steps: - name: Set summary run: echo "${{ github.event.inputs.summary }}" >> $GITHUB_STEP_SUMMARY - - if: github.ref_name == '5.x' + - if: github.event.inputs.tag == '5.x' uses: druzsan/setup-matrix@v2 with: matrix: | images: ${{ vars.IMAGES }} exclude: - images: mailpit - - if: github.ref_name != '5.x' + - if: github.event.inputs.tag != '5.x' uses: druzsan/setup-matrix@v2 with: matrix: | @@ -31,23 +35,33 @@ jobs: run: echo "matrix=$MATRIX" >> $GITHUB_OUTPUT outputs: matrix: ${{ steps.setup-matrix.outputs.matrix }} - vulnerability-scan-schedule: + set-sha-ref: + runs-on: ubuntu-latest + steps: + - name: checkout + id: checkout + uses: actions/checkout@main + with: + ref: ${{ github.event.inputs.tag }} + outputs: + ref: ${{ steps.checkout.outputs.ref }} + commit: ${{ steps.checkout.outputs.commit }} + vulnerability-scan: runs-on: ubuntu-latest - needs: setup-matrix + needs: [setup-matrix, set-sha-ref] strategy: matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} steps: - - uses: actions/checkout@v4 - with: - ref: ${{ github.event.inputs.ref }} - name: Scan for vulnerabilities id: scan uses: crazy-max/ghaction-container-scan@v3 with: - image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{ github.ref_name }} + image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{ github.event.inputs.tag }} dockerfile: ./images/${{ matrix.images }} - name: Upload SARIF file if: ${{ steps.scan.outputs.sarif != '' }} - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }} + ref: refs/heads/${{ needs.set-sha-ref.outputs.ref }} + sha: ${{ needs.set-sha-ref.outputs.commit }}