-
Notifications
You must be signed in to change notification settings - Fork 0
68 lines (58 loc) · 2.11 KB
/
image-vuln-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
name: Image vuln scan
on:
workflow_dispatch:
schedule:
- cron: "22 7 * * 0"
permissions:
issues: write
env:
# Note: Use ghcr since we have no rate limiting there
TRIVYY_IMAGE_REF: 'ghcr.io/xdev-software/mockserver-neolight:latest'
jobs:
scan:
runs-on: ubuntu-latest
continue-on-error: true # Ignore errors, we create an issue instead
steps:
- uses: actions/checkout@v4
- name: Scan - Full
uses: aquasecurity/trivy-action@0.29.0
with:
image-ref: ${{ env.TRIVYY_IMAGE_REF }}
- name: Scan - Relevant
id: scan_relevant
uses: aquasecurity/trivy-action@0.29.0
with:
image-ref: ${{ env.TRIVYY_IMAGE_REF }}
exit-code: 1
severity: 'HIGH,CRITICAL'
output: reported.txt
env:
TRIVY_DISABLE_VEX_NOTICE: 1
- name: Find already existing issue
id: find-issue
if: ${{ always() }}
run: |
echo "number=$(gh issue list -l 'bug' -l 'automated' -L 1 -S 'in:title \"Trivy Vulnerability Report\"' -s 'open' --json 'number' --jq '.[].number')" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ github.token }}
- name: Close issue if everything is fine
if: ${{ success() && steps.find-issue.outputs.number != '' }}
run: gh issue close -r 'not planned' ${{ steps.find-issue.outputs.number }}
env:
GH_TOKEN: ${{ github.token }}
- name: Reformat report
if: ${{ failure() && steps.scan_relevant.conclusion == 'failure' }}
run: |
echo 'Trivy reported vulnerabilities that should be addressed:' > reported.md
echo '```' >> reported.md
cat reported.txt >> reported.md
echo '```' >> reported.md
cat reported.md
- name: Create Issue From File
if: ${{ failure() && steps.scan_relevant.conclusion == 'failure' }}
uses: peter-evans/create-issue-from-file@v5
with:
issue-number: ${{ steps.find-issue.outputs.number }}
title: Trivy Vulnerability Report
content-filepath: ./reported.md
labels: bug, automated