Delete general.security-scan.yaml
Signed-off-by: Kjeld Schouten-Lebbing <kjeld@schouten-lebbing.nl>
This commit is contained in:
parent
0cbd67257a
commit
a8900e9b64
|
@ -1,61 +0,0 @@
|
|||
name: "General: Security Scan"
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
paths:
|
||||
- ".github/workflows/general.security-scan.yaml"
|
||||
schedule:
|
||||
- cron: "0 0 * * 0"
|
||||
|
||||
jobs:
|
||||
directories: # Job that list subdirectories
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
dir: ${{ steps.set-dirs.outputs.dir }} # generate output name dir by using inner step output
|
||||
steps:
|
||||
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
|
||||
with:
|
||||
token: ${{ secrets.BOT_TOKEN }}
|
||||
- id: set-dirs # Give it an id to handle to get step outputs in the outputs key above
|
||||
run: echo "::set-output name=dir::$({ ls -d containers/apps/*/ & ls -d containers/base/*/; } | tr '\n' '\0' | xargs -0 -n 1 basename | jq -R -s -c 'split("\n")[:-1]')"
|
||||
# Define step output named dir base on ls command transformed to JSON thanks to jq
|
||||
|
||||
scan_files:
|
||||
name: Scan Files
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: "fs"
|
||||
ignore-unfixed: true
|
||||
format: "template"
|
||||
template: "@/contrib/sarif.tpl"
|
||||
output: "trivy-repo-results.sarif"
|
||||
severity: "CRITICAL"
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2
|
||||
with:
|
||||
sarif_file: "trivy-repo-results.sarif"
|
||||
|
||||
scan_containers:
|
||||
name: Scan Containers
|
||||
runs-on: ubuntu-20.04
|
||||
needs: [directories] # Depends on previous job
|
||||
strategy:
|
||||
matrix:
|
||||
dir: ${{fromJson(needs.directories.outputs.dir)}} # List matrix strategy from directories dynamically
|
||||
fail-fast: false
|
||||
steps:
|
||||
- name: Container Security scan
|
||||
uses: Azure/container-scan@f9af925b897d8af5f7e0026b8bca9346261abc93 # tag=v0
|
||||
with:
|
||||
image-name: ghcr.io/${{ github.repository_owner }}/${{matrix.dir}}:latest
|
||||
severity-threshold: HIGH
|
Loading…
Reference in New Issue