Skip to content

Scan main images for vulnerabilities (scheduled) #39

Scan main images for vulnerabilities (scheduled)

Scan main images for vulnerabilities (scheduled) #39

Workflow file for this run

name: Scan Images for Vulnerabilities (Trivy)
run-name: Scan ${{ inputs.version == '' && github.ref_name || inputs.version }} images for vulnerabilities ${{ github.event_name == 'schedule' && '(scheduled)' || '' }}
on:
schedule:
- cron: "0 7 * * 1" # Run every Monday at 7:00 AM UTC
workflow_dispatch:
inputs:
version:
description: "Version of Eraser to run Trivy scans against. Leave empty to scan images built from the branch the action is running against."
type: string
required: false
default: ""
upload-results:
description: "Upload results to Github Security?"
type: boolean
required: true
default: false
permissions: read-all
env:
# Scanning released versions require the project `eraser-dev` as part of the registry name.
REGISTRY: ghcr.io/${{ github.event.inputs.version == '' && 'eraser-test' || 'eraser-dev' }}
TAG: ${{ github.event.inputs.version == '' && 'test' || github.event.inputs.version }}
jobs:
scan_vulnerabilities:
name: Scan ${{ matrix.data.image }} for vulnerabilities
runs-on: ubuntu-latest
timeout-minutes: 15
strategy:
matrix:
data:
- {image: remover, build_cmd: docker-build-remover, repo_environment_var: REMOVER_REPO}
- {image: eraser-manager, build_cmd: docker-build-manager, repo_environment_var: MANAGER_REPO}
- {image: collector, build_cmd: docker-build-collector, repo_environment_var: COLLECTOR_REPO}
- {image: eraser-trivy-scanner, build_cmd: docker-build-trivy-scanner, repo_environment_var: TRIVY_SCANNER_REPO}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- name: Check out code
if: github.event_name == 'schedule' || github.event.inputs.version == ''
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Build image
if: github.event_name == 'schedule' || github.event.inputs.version == ''
run: |
make ${{ matrix.data.build_cmd }} VERSION=${{ env.TAG }} ${{ matrix.data.repo_environment_var }}=${{ env.REGISTRY }}/${{ matrix.data.image }}
- name: Scan for vulnerabilities
uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
with:
image-ref: ${{ env.REGISTRY }}/${{ matrix.data.image }}:${{ env.TAG }}
vuln-type: 'os,library'
ignore-unfixed: true
format: 'sarif'
output: ${{ matrix.data.image }}-results.sarif
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: ${{ matrix.data.image }} Scan Results
path: ${{ matrix.data.image }}-results.sarif
overwrite: true
upload_vulnerabilities:
name: Upload ${{ matrix.image }} results to GitHub Security
runs-on: ubuntu-latest
needs: scan_vulnerabilities
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.upload-results == 'true')
permissions:
actions: read
contents: read
security-events: write
strategy:
matrix:
image: [remover, eraser-manager, collector, eraser-trivy-scanner]
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: ${{ matrix.image }} Scan Results
path: ${{ matrix.image }}-results.sarif
merge-multiple: true
- name: Upload results to GitHub Security
uses: github/codeql-action/upload-sarif@f079b8493333aace61c81488f8bd40919487bd9f # v2.14.4
with:
sarif_file: ${{ matrix.image }}-results.sarif