Skip to content

daily vulnerability scan #411

daily vulnerability scan

daily vulnerability scan #411

name: daily vulnerability scan
on:
schedule:
- cron: '0 0 * * *'
env:
IMAGE_NAME: zozo-gatling-operator
TRIVY_RESULTS_MARKDOWN: trivy-results.md
permissions:
contents: read
issues: write
jobs:
build-scan-and-save-results:
name: Build, scan, and save results
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: ./go.mod
cache: true
- name: Go modules sync
run: go mod tidy
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build an image from Dockerfile
run: |
make docker-build IMG="${{ env.IMAGE_NAME }}:${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
scan-type: image
image-ref: "${{ env.IMAGE_NAME }}:${{ github.sha }}"
exit-code: 0
ignore-unfixed: true
vuln-type: os,library
severity: HIGH,CRITICAL
timeout: 10m0s
scanners: vuln,secret,config
format: template
template: "@.github/ISSUE_TEMPLATE/trivy-results.tpl"
output: ${{ env.TRIVY_RESULTS_MARKDOWN }}
- name: Extract total count of vulnerabilities
id: extract-total-cnt-of-vulns
run: |
if [[ $(cat "${{ env.TRIVY_RESULTS_MARKDOWN }}") =~ Total\ count\ of\ vulnerabilities:\ ([0-9]+) ]]; then
result=${BASH_REMATCH[0]}
echo "$result"
total_cnt_of_vulns=${BASH_REMATCH[1]}
echo "total_cnt_of_vulns=$total_cnt_of_vulns" >> "$GITHUB_OUTPUT"
else
echo "Error: Failed to extract total count of vulnerabilities"
exit 1
fi
- name: Insert YAML front matter into the results markdown
if: ${{ fromJson(steps.extract-total-cnt-of-vulns.outputs.total_cnt_of_vulns) > 0 }}
run: |
sed -i '1i\
---\
title: "Security Alert by Trivy"\
labels: "trivy, vulnerability"\
---\
' "${{ env.TRIVY_RESULTS_MARKDOWN }}"
- name: Create or update the trivy results issue
if: ${{ fromJson(steps.extract-total-cnt-of-vulns.outputs.total_cnt_of_vulns) > 0 }}
uses: JasonEtco/create-an-issue@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
filename: ${{ env.TRIVY_RESULTS_MARKDOWN }}
update_existing: true
search_existing: open