Add generic scan workflow - 5.x (#299)

dpc-sdp · Sep 4, 2024 · c3ea1ac · c3ea1ac
1 parent 31f3b66
commit c3ea1ac
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 48 deletions.
diff --git a/.github/workflows/vulnerability-scan-schedule.yml b/.github/workflows/vulnerability-scan-schedule.yml
@@ -1,48 +0,0 @@
-name: vulnerability-scan-schedule
-run-name: Scheduled CVE vulnerability scan of published images.
-env:
-  REGISTRY: ghcr.io
-on:
-  schedule:
-    - cron: '0 22 * * 3'
-jobs:
-  vulnerability-scan-schedule:
-    if: github.event_name == 'schedule'
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        images: ${{ fromJson(vars.IMAGES) }}
-        branches: ${{ fromJson(vars.BRANCHES) }}
-        exclude:
-          - images: ci-builder
-            branches: 4.x
-          - images: clamav
-            branches: 4.x
-          - images: elasticsearch
-            branches: 4.x
-          - images: mailhog
-            branches: 4.x
-          - images: mariadb
-            branches: 4.x
-          - images: nginx
-            branches: 4.x
-          - images: php-cli
-            branches: 4.x
-          - images: php-fpm
-            branches: 4.x
-          - images: ripple-static
-            branches: 4.x
-          - images: mailpit
-            branches: 5.x
-    steps:
-      - name: Scan for vulnerabilities
-        id: scan
-        uses: crazy-max/ghaction-container-scan@v3
-        with:
-          image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{matrix.branches}}
-          dockerfile: ./images/${{ matrix.images }}
-      - name: Upload SARIF file
-        if: ${{ steps.scan.outputs.sarif != '' }}
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}

diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
@@ -0,0 +1,53 @@
+name: vulnerability-scan
+run-name: Scheduled CVE vulnerability scan of published images.
+env:
+  REGISTRY: ghcr.io
+on:
+  workflow_dispatch:
+    inputs:
+      summary:
+        description: 'Summary of the scheduled scan.'
+        required: false
+        default: 'Trivy CVE scan of published images.'
+jobs:
+  setup-matrix:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set summary
+        run: echo "${{ github.event.inputs.summary }}" >> $GITHUB_STEP_SUMMARY
+      - if: github.ref_name == '5.x'
+        uses: druzsan/setup-matrix@v2
+        with:
+          matrix: |
+            images: ${{ vars.IMAGES }}
+            exclude:
+              - images: mailpit
+      - if: github.ref_name != '5.x'
+        uses: druzsan/setup-matrix@v2
+        with:
+          matrix: |
+            images: ${{ vars.IMAGES }}
+      - id: setup-matrix
+        run: echo "matrix=$MATRIX" >> $GITHUB_OUTPUT
+    outputs:
+        matrix: ${{ steps.setup-matrix.outputs.matrix }}
+  vulnerability-scan-schedule:
+    runs-on: ubuntu-latest
+    needs: setup-matrix
+    strategy:
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.ref }}
+      - name: Scan for vulnerabilities
+        id: scan
+        uses: crazy-max/ghaction-container-scan@v3
+        with:
+          image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{ github.ref_name }}
+          dockerfile: ./images/${{ matrix.images }}
+      - name: Upload SARIF file
+        if: ${{ steps.scan.outputs.sarif != '' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}