TrueChartsClone/.github/workflows/general.security-scan.yaml

62 lines
2.1 KiB
YAML

name: "General: Security Scan"
on:
workflow_dispatch:
push:
branches:
- master
paths:
- ".github/workflows/general.security-scan.yaml"
schedule:
- cron: "0 0 * * 0"
jobs:
directories: # Job that list subdirectories
runs-on: ubuntu-latest
outputs:
dir: ${{ steps.set-dirs.outputs.dir }} # generate output name dir by using inner step output
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
with:
token: ${{ secrets.BOT_TOKEN }}
- id: set-dirs # Give it an id to handle to get step outputs in the outputs key above
run: echo "::set-output name=dir::$({ ls -d containers/apps/*/ & ls -d containers/base/*/; } | tr '\n' '\0' | xargs -0 -n 1 basename | jq -R -s -c 'split("\n")[:-1]')"
# Define step output named dir base on ls command transformed to JSON thanks to jq
scan_files:
name: Scan Files
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
ignore-unfixed: true
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-repo-results.sarif"
severity: "CRITICAL"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@e0e5ded33cabb451ae0a9768fc7b0410bad9ad44 # tag=v2
with:
sarif_file: "trivy-repo-results.sarif"
scan_containers:
name: Scan Containers
runs-on: ubuntu-20.04
needs: [directories] # Depends on previous job
strategy:
matrix:
dir: ${{fromJson(needs.directories.outputs.dir)}} # List matrix strategy from directories dynamically
fail-fast: false
steps:
- name: Container Security scan
uses: Azure/container-scan@f9af925b897d8af5f7e0026b8bca9346261abc93 # tag=v0
with:
image-name: ghcr.io/${{ github.repository_owner }}/${{matrix.dir}}:latest
severity-threshold: HIGH