From c3ea1ac38e315b64087878fb7a0c4a2dceada394 Mon Sep 17 00:00:00 2001 From: Guy Owen Date: Wed, 4 Sep 2024 14:45:11 +1000 Subject: [PATCH] Add generic scan workflow - 5.x (#299) --- .../workflows/vulnerability-scan-schedule.yml | 48 ----------------- .github/workflows/vulnerability-scan.yml | 53 +++++++++++++++++++ 2 files changed, 53 insertions(+), 48 deletions(-) create mode 100644 .github/workflows/vulnerability-scan.yml diff --git a/.github/workflows/vulnerability-scan-schedule.yml b/.github/workflows/vulnerability-scan-schedule.yml index 69a77ee0f..e69de29bb 100644 --- a/.github/workflows/vulnerability-scan-schedule.yml +++ b/.github/workflows/vulnerability-scan-schedule.yml @@ -1,48 +0,0 @@ -name: vulnerability-scan-schedule -run-name: Scheduled CVE vulnerability scan of published images. -env: - REGISTRY: ghcr.io -on: - schedule: - - cron: '0 22 * * 3' -jobs: - vulnerability-scan-schedule: - if: github.event_name == 'schedule' - runs-on: ubuntu-latest - strategy: - matrix: - images: ${{ fromJson(vars.IMAGES) }} - branches: ${{ fromJson(vars.BRANCHES) }} - exclude: - - images: ci-builder - branches: 4.x - - images: clamav - branches: 4.x - - images: elasticsearch - branches: 4.x - - images: mailhog - branches: 4.x - - images: mariadb - branches: 4.x - - images: nginx - branches: 4.x - - images: php-cli - branches: 4.x - - images: php-fpm - branches: 4.x - - images: ripple-static - branches: 4.x - - images: mailpit - branches: 5.x - steps: - - name: Scan for vulnerabilities - id: scan - uses: crazy-max/ghaction-container-scan@v3 - with: - image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{matrix.branches}} - dockerfile: ./images/${{ matrix.images }} - - name: Upload SARIF file - if: ${{ steps.scan.outputs.sarif != '' }} - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml new file mode 100644 index 000000000..84209f79e --- /dev/null +++ b/.github/workflows/vulnerability-scan.yml @@ -0,0 +1,53 @@ +name: vulnerability-scan +run-name: Scheduled CVE vulnerability scan of published images. +env: + REGISTRY: ghcr.io +on: + workflow_dispatch: + inputs: + summary: + description: 'Summary of the scheduled scan.' + required: false + default: 'Trivy CVE scan of published images.' +jobs: + setup-matrix: + runs-on: ubuntu-latest + steps: + - name: Set summary + run: echo "${{ github.event.inputs.summary }}" >> $GITHUB_STEP_SUMMARY + - if: github.ref_name == '5.x' + uses: druzsan/setup-matrix@v2 + with: + matrix: | + images: ${{ vars.IMAGES }} + exclude: + - images: mailpit + - if: github.ref_name != '5.x' + uses: druzsan/setup-matrix@v2 + with: + matrix: | + images: ${{ vars.IMAGES }} + - id: setup-matrix + run: echo "matrix=$MATRIX" >> $GITHUB_OUTPUT + outputs: + matrix: ${{ steps.setup-matrix.outputs.matrix }} + vulnerability-scan-schedule: + runs-on: ubuntu-latest + needs: setup-matrix + strategy: + matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.inputs.ref }} + - name: Scan for vulnerabilities + id: scan + uses: crazy-max/ghaction-container-scan@v3 + with: + image: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.images }}:${{ github.ref_name }} + dockerfile: ./images/${{ matrix.images }} + - name: Upload SARIF file + if: ${{ steps.scan.outputs.sarif != '' }} + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.scan.outputs.sarif }}