Merge pull request #100 from R-HNF/feature/#45-add-daily-vul-scan

Add daily vulnerability scan

.github/ISSUE_TEMPLATE/trivy-results.tpl

@@ -0,0 +1,27 @@
+{{ $d := dict "CRITICAL" "🔴" "HIGH" "🟠" "MEDIUM" "🟡" "UNKNOWN" "🟤" }}
+
+{{- range . -}}
+## {{ .Target }}
+
+### {{ .Type }} [{{ .Class }}]
+
+{{ if .Vulnerabilities -}}
+| Title | Severity | CVE | Package Name | Installed Version | Fixed Version | PrimaryURL |
+| :--: | :--: | :--: | :--: | :--: | :--: | :-- |
+{{- range .Vulnerabilities }}
+| {{ .Title -}}
+| {{ get $d .Severity }}{{ .Severity -}}
+| {{ .VulnerabilityID -}}
+| {{ .PkgName -}}
+| {{ .InstalledVersion -}}
+| {{ .FixedVersion -}}
+| {{ .PrimaryURL -}}
+|
+{{- end }}
+
+{{ else -}}
+_No vulnerabilities found_
+
+{{ end }}
+
+{{- end }}

.github/workflows/daily-vul-scan.yml

@@ -0,0 +1,72 @@
+name: daily vulnerability scan
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+
+env:
+  IMAGE_NAME: zozo-gatling-operator
+  TRIVY_RESULTS_MARKDOWN: trivy-results.md
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  build-scan-and-save-results:
+    name: Build, scan, and save results
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: ./go.mod
+          cache: true
+
+      - name: Go modules sync
+        run: go mod tidy
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build an image from Dockerfile
+        run: |
+          make docker-build IMG="${{ env.IMAGE_NAME }}:${{ github.sha }}"
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: "${{ env.IMAGE_NAME }}:${{ github.sha }}"
+          exit-code: 1
+          ignore-unfixed: true
+          vuln-type: os,library
+          severity: HIGH,CRITICAL
+          timeout: 10m0s
+          scanners: vuln,secret,config
+          format: template
+          template: "@.github/ISSUE_TEMPLATE/trivy-results.tpl"
+          output: ${{ env.TRIVY_RESULTS_MARKDOWN }}
+
+      - name: Insert YAML front matter into the results markdown
+        if: always()
+        run: |
+          sed -i '1i\
+          ---\
+          title: "[DO NOT CHANGE] Security Alert"\
+          labels: "trivy, vulnerability"\
+          ---\
+          ' "${{ env.TRIVY_RESULTS_MARKDOWN }}"
+
+      - name: Create or update the trivy results issue
+        uses: JasonEtco/create-an-issue@v2
+        if: always()
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          filename: ${{ env.TRIVY_RESULTS_MARKDOWN }}
+          update_existing: true
+          search_existing: open

README.md

@@ -1,6 +1,6 @@
 # Gatling Operator
 
-[![Go Report Card](https://goreportcard.com/badge/github.com/st-tech/gatling-operator)](https://goreportcard.com/report/github.com/st-tech/gatling-operator) [![CI](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml/badge.svg?branch=main&event=push)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/st-tech/gatling-operator)
+[![Go Report Card](https://goreportcard.com/badge/github.com/st-tech/gatling-operator)](https://goreportcard.com/report/github.com/st-tech/gatling-operator) [![CI](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml/badge.svg?branch=main&event=push)](https://github.com/st-tech/gatling-operator/actions/workflows/ci.yml)  [![daily vulnerability scan](https://github.com/st-tech/gatling-operator/actions/workflows/daily-vul-scan.yml/badge.svg?branch=main)](https://github.com/st-tech/gatling-operator/actions/workflows/daily-vul-scan.yml) ![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/st-tech/gatling-operator)
 
 [Gatling](https://gatling.io/) is an open source load testing tool that allows to analyze and measure the performance of a variety of services. [Gatling Operator](https://github.com/st-tech/gatling-operator) is a Kubernetes Operator for running automated distributed Gatling load testing.