From 360edaec4f1c516edffa39cda35e8d586388d658 Mon Sep 17 00:00:00 2001
From: Guy Owen <guy.owen@dpc.vic.gov.au>
Date: Tue, 10 Sep 2024 13:08:03 +1000
Subject: [PATCH] [291] Added scheduled scans for fixed tags.

---
 .../vulnerability-scan-schedule-5x.yml         | 18 ++++++++++++++++++
 .../vulnerability-scan-schedule-6x.yml         | 18 ++++++++++++++++++
 .github/workflows/vulnerability-scan.yml       | 18 ++++++++++--------
 3 files changed, 46 insertions(+), 8 deletions(-)
 create mode 100644 .github/workflows/vulnerability-scan-schedule-5x.yml
 create mode 100644 .github/workflows/vulnerability-scan-schedule-6x.yml

diff --git a/.github/workflows/vulnerability-scan-schedule-5x.yml b/.github/workflows/vulnerability-scan-schedule-5x.yml
new file mode 100644
index 00000000..43d21edd
--- /dev/null
+++ b/.github/workflows/vulnerability-scan-schedule-5x.yml
@@ -0,0 +1,18 @@
+name: vulnerability-scan-schedule-5.x
+run-name: Scheduled CVE vulnerability scan of 5.x published images.
+env:
+  REGISTRY: ghcr.io
+on:
+  schedule:
+    - cron: '0 22 * * 3'
+  workflow_dispatch:
+jobs:
+  vulnerability-scan-schedule:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Scan for vulnerabilities on 5.x images
+        id: scan
+        uses: dpc-sdp/bay/.github/workflows/vulnerability-scan.yml
+        with:
+          tag: 5.x
+          summary: "Trivy CVE scan of 5.x published images."
\ No newline at end of file
diff --git a/.github/workflows/vulnerability-scan-schedule-6x.yml b/.github/workflows/vulnerability-scan-schedule-6x.yml
new file mode 100644
index 00000000..365b858c
--- /dev/null
+++ b/.github/workflows/vulnerability-scan-schedule-6x.yml
@@ -0,0 +1,18 @@
+name: vulnerability-scan-schedule-6.x
+run-name: Scheduled CVE vulnerability scan of 6.x published images.
+env:
+  REGISTRY: ghcr.io
+on:
+  schedule:
+    - cron: '2 22 * * 3'
+  workflow_dispatch:
+jobs:
+  vulnerability-scan-schedule:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Scan for vulnerabilities on 6.x images
+        id: scan
+        uses: dpc-sdp/bay/.github/workflows/vulnerability-scan.yml
+        with:
+          tag: 6.x
+          summary: "Trivy CVE scan of 6.x published images."
\ No newline at end of file
diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
index 84209f79..362465be 100644
--- a/.github/workflows/vulnerability-scan.yml
+++ b/.github/workflows/vulnerability-scan.yml
@@ -9,20 +9,24 @@ on:
         description: 'Summary of the scheduled scan.'
         required: false
         default: 'Trivy CVE scan of published images.'
+      tag:
+        description: 'Tag to scan.'
+        required: false
+        default: '6.x'
 jobs:
   setup-matrix:
     runs-on: ubuntu-latest
     steps:
       - name: Set summary
         run: echo "${{ github.event.inputs.summary }}" >> $GITHUB_STEP_SUMMARY
-      - if: github.ref_name == '5.x'
+      - if: github.event.inputs.tag == '5.x'
         uses: druzsan/setup-matrix@v2
         with:
           matrix: |
             images: ${{ vars.IMAGES }}
             exclude:
               - images: mailpit
-      - if: github.ref_name != '5.x'
+      - if: github.event.inputs.tag != '5.x'
         uses: druzsan/setup-matrix@v2
         with:
           matrix: |
@@ -31,23 +35,21 @@ jobs:
         run: echo "matrix=$MATRIX" >> $GITHUB_OUTPUT
     outputs:
         matrix: ${{ steps.setup-matrix.outputs.matrix }}
-  vulnerability-scan-schedule:
+  vulnerability-scan:
     runs-on: ubuntu-latest
     needs: setup-matrix
     strategy:
       matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
     steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.inputs.ref }}
       - name: Scan for vulnerabilities
         id: scan
         uses: crazy-max/ghaction-container-scan@v3
         with:
-          image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{ github.ref_name }}
+          image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{ github.event.inputs.tag }}
           dockerfile: ./images/${{ matrix.images }}
       - name: Upload SARIF file
         if: ${{ steps.scan.outputs.sarif != '' }}
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
+          ref: ${{ github.event.inputs.tag }}