From 38d35e107ea9235c0c379d4ee6011174495d4e60 Mon Sep 17 00:00:00 2001
From: Guy Owen <guy.owen@dpc.vic.gov.au>
Date: Tue, 20 Aug 2024 12:35:59 +1000
Subject: [PATCH] [DDS-2006] Updated base branch for scan for 6.x (#280)

---
 ...yml => vulnerability-scan-schedule-5x.yml} | 23 ++-------------
 .../vulnerability-scan-schedule-6x.yml        | 29 +++++++++++++++++++
 2 files changed, 32 insertions(+), 20 deletions(-)
 rename .github/workflows/{vulnerability-scan-schedule.yml => vulnerability-scan-schedule-5x.yml} (60%)
 create mode 100644 .github/workflows/vulnerability-scan-schedule-6x.yml

diff --git a/.github/workflows/vulnerability-scan-schedule.yml b/.github/workflows/vulnerability-scan-schedule-5x.yml
similarity index 60%
rename from .github/workflows/vulnerability-scan-schedule.yml
rename to .github/workflows/vulnerability-scan-schedule-5x.yml
index 69a77ee0..8eeef375 100644
--- a/.github/workflows/vulnerability-scan-schedule.yml
+++ b/.github/workflows/vulnerability-scan-schedule-5x.yml
@@ -12,29 +12,12 @@ jobs:
     strategy:
       matrix:
         images: ${{ fromJson(vars.IMAGES) }}
-        branches: ${{ fromJson(vars.BRANCHES) }}
         exclude:
-          - images: ci-builder
-            branches: 4.x
-          - images: clamav
-            branches: 4.x
-          - images: elasticsearch
-            branches: 4.x
-          - images: mailhog
-            branches: 4.x
-          - images: mariadb
-            branches: 4.x
-          - images: nginx
-            branches: 4.x
-          - images: php-cli
-            branches: 4.x
-          - images: php-fpm
-            branches: 4.x
-          - images: ripple-static
-            branches: 4.x
           - images: mailpit
-            branches: 5.x
     steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: 5.x
       - name: Scan for vulnerabilities
         id: scan
         uses: crazy-max/ghaction-container-scan@v3
diff --git a/.github/workflows/vulnerability-scan-schedule-6x.yml b/.github/workflows/vulnerability-scan-schedule-6x.yml
new file mode 100644
index 00000000..cdeaacbf
--- /dev/null
+++ b/.github/workflows/vulnerability-scan-schedule-6x.yml
@@ -0,0 +1,29 @@
+name: vulnerability-scan-schedule
+run-name: Scheduled CVE vulnerability scan of published images.
+env:
+  REGISTRY: ghcr.io
+on:
+  schedule:
+    - cron: '0 22 * * 3'
+jobs:
+  vulnerability-scan-schedule:
+    if: github.event_name == 'schedule'
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        images: ${{ fromJson(vars.IMAGES) }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: 6.x
+      - name: Scan for vulnerabilities
+        id: scan
+        uses: crazy-max/ghaction-container-scan@v3
+        with:
+          image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{matrix.branches}}
+          dockerfile: ./images/${{ matrix.images }}
+      - name: Upload SARIF file
+        if: ${{ steps.scan.outputs.sarif != '' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}