Skip to content

Image vuln scan

Image vuln scan #7

name: Image vuln scan
on:
workflow_dispatch:
schedule:
- cron: "22 7 * * 0"
permissions:
issues: write
env:
# Note: Use ghcr since we have no rate limiting there
TRIVYY_IMAGE_REF: 'ghcr.io/xdev-software/oidc-server-mock:latest'
jobs:
scan:
runs-on: ubuntu-latest
continue-on-error: true # Ignore errors, we create an issue instead
steps:
- uses: actions/checkout@v4
- name: Scan - Full
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.TRIVYY_IMAGE_REF }}
- name: Scan - Relevant
id: scan_relevant
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.TRIVYY_IMAGE_REF }}
exit-code: 1
severity: 'HIGH,CRITICAL'
output: reported.txt
env:
TRIVY_DISABLE_VEX_NOTICE: 1
- name: Find already existing issue
id: find-issue
if: ${{ always() }}
run: |
echo "number=$(gh issue list -l 'bug' -l 'automated' -L 1 -S 'in:title \"Trivy Vulnerability Report\"' -s 'open' --json 'number' --jq '.[].number')" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ github.token }}
- name: Close issue if everything is fine
if: ${{ success() && steps.find-issue.outputs.number != '' }}
run: gh issue close -r 'not planned' ${{ steps.find-issue.outputs.number }}
env:
GH_TOKEN: ${{ github.token }}
- name: Reformat report
if: ${{ failure() && steps.scan_relevant.conclusion == 'failure' }}
run: |
echo 'Trivy reported vulnerabilities that should be addressed:' > reported.md
echo '```' >> reported.md
cat reported.txt >> reported.md
echo '```' >> reported.md
cat reported.md
- name: Create Issue From File
if: ${{ failure() && steps.scan_relevant.conclusion == 'failure' }}
uses: peter-evans/create-issue-from-file@v5
with:
issue-number: ${{ steps.find-issue.outputs.number }}
title: Trivy Vulnerability Report
content-filepath: ./reported.md
labels: bug, automated