name: "General: Security Scan" on: workflow_dispatch: push: branches: - master paths: - ".github/workflows/general.security-scan.yaml" schedule: - cron: "0 0 * * 0" jobs: directories: # Job that list subdirectories runs-on: ubuntu-latest outputs: dir: ${{ steps.set-dirs.outputs.dir }} # generate output name dir by using inner step output steps: - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3 with: token: ${{ secrets.BOT_TOKEN }} - id: set-dirs # Give it an id to handle to get step outputs in the outputs key above run: echo "::set-output name=dir::$({ ls -d containers/apps/*/ & ls -d containers/base/*/; } | tr '\n' '\0' | xargs -0 -n 1 basename | jq -R -s -c 'split("\n")[:-1]')" # Define step output named dir base on ls command transformed to JSON thanks to jq scan_files: name: Scan Files runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@master with: scan-type: "fs" ignore-unfixed: true format: "template" template: "@/contrib/sarif.tpl" output: "trivy-repo-results.sarif" severity: "CRITICAL" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@2ca79b6fa8d3ec278944088b4aa5f46912db5d63 # tag=v2 with: sarif_file: "trivy-repo-results.sarif" scan_containers: name: Scan Containers runs-on: ubuntu-20.04 needs: [directories] # Depends on previous job strategy: matrix: dir: ${{fromJson(needs.directories.outputs.dir)}} # List matrix strategy from directories dynamically fail-fast: false steps: - name: Container Security scan uses: Azure/container-scan@f9af925b897d8af5f7e0026b8bca9346261abc93 # tag=v0 with: image-name: ghcr.io/${{ github.repository_owner }}/${{matrix.dir}}:latest severity-threshold: HIGH