Scan main images for vulnerabilities (scheduled) #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Scan Images for Vulnerabilities (Trivy) | |
run-name: Scan ${{ inputs.version == '' && github.ref_name || inputs.version }} images for vulnerabilities ${{ github.event_name == 'schedule' && '(scheduled)' || '' }} | |
on: | |
schedule: | |
- cron: "0 7 * * 1" # Run every Monday at 7:00 AM UTC | |
workflow_dispatch: | |
inputs: | |
version: | |
description: "Version of Eraser to run Trivy scans against. Leave empty to scan images built from the branch the action is running against." | |
type: string | |
required: false | |
default: "" | |
upload-results: | |
description: "Upload results to Github Security?" | |
type: boolean | |
required: true | |
default: false | |
permissions: read-all | |
env: | |
# Scanning released versions require the project `eraser-dev` as part of the registry name. | |
REGISTRY: ghcr.io/${{ github.event.inputs.version == '' && 'eraser-test' || 'eraser-dev' }} | |
TAG: ${{ github.event.inputs.version == '' && 'test' || github.event.inputs.version }} | |
jobs: | |
scan_vulnerabilities: | |
name: Scan ${{ matrix.data.image }} for vulnerabilities | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
strategy: | |
matrix: | |
data: | |
- {image: remover, build_cmd: docker-build-remover, repo_environment_var: REMOVER_REPO} | |
- {image: eraser-manager, build_cmd: docker-build-manager, repo_environment_var: MANAGER_REPO} | |
- {image: collector, build_cmd: docker-build-collector, repo_environment_var: COLLECTOR_REPO} | |
- {image: eraser-trivy-scanner, build_cmd: docker-build-trivy-scanner, repo_environment_var: TRIVY_SCANNER_REPO} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | |
with: | |
egress-policy: audit | |
- name: Check out code | |
if: github.event_name == 'schedule' || github.event.inputs.version == '' | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Build image | |
if: github.event_name == 'schedule' || github.event.inputs.version == '' | |
run: | | |
make ${{ matrix.data.build_cmd }} VERSION=${{ env.TAG }} ${{ matrix.data.repo_environment_var }}=${{ env.REGISTRY }}/${{ matrix.data.image }} | |
- name: Scan for vulnerabilities | |
uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1 | |
with: | |
image-ref: ${{ env.REGISTRY }}/${{ matrix.data.image }}:${{ env.TAG }} | |
vuln-type: 'os,library' | |
ignore-unfixed: true | |
format: 'sarif' | |
output: ${{ matrix.data.image }}-results.sarif | |
- uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 | |
with: | |
name: ${{ matrix.data.image }} Scan Results | |
path: ${{ matrix.data.image }}-results.sarif | |
overwrite: true | |
upload_vulnerabilities: | |
name: Upload ${{ matrix.image }} results to GitHub Security | |
runs-on: ubuntu-latest | |
needs: scan_vulnerabilities | |
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.upload-results == 'true') | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
strategy: | |
matrix: | |
image: [remover, eraser-manager, collector, eraser-trivy-scanner] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | |
with: | |
egress-policy: audit | |
- uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 | |
with: | |
name: ${{ matrix.image }} Scan Results | |
path: ${{ matrix.image }}-results.sarif | |
merge-multiple: true | |
- name: Upload results to GitHub Security | |
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.14.4 | |
with: | |
sarif_file: ${{ matrix.image }}-results.sarif |