TrueChartsClone/.github/workflows/general.security-scan.yaml

name: "General: Security Scan"

on:
  workflow_dispatch:
  push:
    branches:
    - master
    paths:
    - ".github/workflows/general.security-scan.yaml"
  schedule:
    - cron: "0 0 * * 0"


jobs:
  directories: # Job that list subdirectories
    runs-on: ubuntu-latest
    outputs:
      dir: ${{ steps.set-dirs.outputs.dir }} # generate output name dir by using inner step output
    steps:
      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3
        with:
          token: ${{ secrets.BOT_TOKEN }}
      - id: set-dirs # Give it an id to handle to get step outputs in the outputs key above
        run: echo "::set-output name=dir::$({ ls -d containers/apps/*/ & ls -d containers/base/*/; } | tr '\n' '\0' | xargs -0 -n 1 basename | jq -R -s -c 'split("\n")[:-1]')"
        # Define step output named dir base on ls command transformed to JSON thanks to jq


  scan_files:
    name: Scan Files
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3

    - name: Run Trivy vulnerability scanner in repo mode
      uses: aquasecurity/trivy-action@master
      with:
        scan-type: 'fs'
        ignore-unfixed: true
        format: 'template'
        template: '@/contrib/sarif.tpl'
        output: 'trivy-repo-results.sarif'
        severity: 'CRITICAL'

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: 'trivy-repo-results.sarif'


  scan_containers:
    name: Scan Containers
    runs-on: ubuntu-20.04
    needs: [directories] # Depends on previous job
    strategy:
      matrix:
        dir: ${{fromJson(needs.directories.outputs.dir)}} # List matrix strategy from directories dynamically
      fail-fast: false
    steps:
    - name: Container Security scan
      uses: Azure/container-scan@74375b0068a9527f6bcc8abfc4b8758c445ae197 # renovate: tag=v0
      with:
        image-name: ghcr.io/${{ github.repository_owner }}/${{matrix.dir}}:latest
        severity-threshold: HIGH
Integrate Container and Website Repo's + docs restructure 2021-03-17 09:35:56 +00:00			`name: "General: Security Scan"`

			`on:`
			`workflow_dispatch:`
			`push:`
			`branches:`
main->master for security-scan trigger 2021-04-11 14:29:43 +00:00			`- master`
Integrate Container and Website Repo's + docs restructure 2021-03-17 09:35:56 +00:00			`paths:`
			`- ".github/workflows/general.security-scan.yaml"`
			`schedule:`
			`- cron: "0 0 * * 0"`


			`jobs:`
			`directories: # Job that list subdirectories`
			`runs-on: ubuntu-latest`
			`outputs:`
			`dir: ${{ steps.set-dirs.outputs.dir }} # generate output name dir by using inner step output`
			`steps:`
chore(deps): update actions/checkout action to v3 (#1994) Co-authored-by: Renovate Bot <bot@renovateapp.com> 2022-03-02 10:52:19 +00:00			`- uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3`
Integrate Container and Website Repo's + docs restructure 2021-03-17 09:35:56 +00:00			`with:`
			`token: ${{ secrets.BOT_TOKEN }}`
			`- id: set-dirs # Give it an id to handle to get step outputs in the outputs key above`
move containers from `.containers` to `containers` 2021-05-30 11:02:07 +00:00			`run: echo "::set-output name=dir::$({ ls -d containers/apps// & ls -d containers/base//; } \| tr '\n' '\0' \| xargs -0 -n 1 basename \| jq -R -s -c 'split("\n")[:-1]')"`
Integrate Container and Website Repo's + docs restructure 2021-03-17 09:35:56 +00:00			`# Define step output named dir base on ls command transformed to JSON thanks to jq`


			`scan_files:`
			`name: Scan Files`
			`runs-on: ubuntu-latest`
			`steps:`
			`- name: Checkout`
chore(deps): update actions/checkout action to v3 (#1994) Co-authored-by: Renovate Bot <bot@renovateapp.com> 2022-03-02 10:52:19 +00:00			`uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3`
Integrate Container and Website Repo's + docs restructure 2021-03-17 09:35:56 +00:00
			`- name: Run Trivy vulnerability scanner in repo mode`
			`uses: aquasecurity/trivy-action@master`
			`with:`
			`scan-type: 'fs'`
			`ignore-unfixed: true`
			`format: 'template'`
			`template: '@/contrib/sarif.tpl'`
			`output: 'trivy-repo-results.sarif'`
			`severity: 'CRITICAL'`

			`- name: Upload Trivy scan results to GitHub Security tab`
			`uses: github/codeql-action/upload-sarif@v1`
			`with:`
			`sarif_file: 'trivy-repo-results.sarif'`


			`scan_containers:`
			`name: Scan Containers`
			`runs-on: ubuntu-20.04`
			`needs: [directories] # Depends on previous job`
			`strategy:`
			`matrix:`
			`dir: ${{fromJson(needs.directories.outputs.dir)}} # List matrix strategy from directories dynamically`
			`fail-fast: false`
			`steps:`
			`- name: Container Security scan`
chore(deps): update azure/container-scan commit hash to 74375b0 (#1833) Co-authored-by: Renovate Bot <bot@renovateapp.com> 2022-02-03 10:12:49 +00:00			`uses: Azure/container-scan@74375b0068a9527f6bcc8abfc4b8758c445ae197 # renovate: tag=v0`
Integrate Container and Website Repo's + docs restructure 2021-03-17 09:35:56 +00:00			`with:`
			`image-name: ghcr.io/${{ github.repository_owner }}/${{matrix.dir}}:latest`
			`severity-threshold: HIGH`