Skip to content

Scan main images for vulnerabilities (scheduled) #42

Scan main images for vulnerabilities (scheduled)

Scan main images for vulnerabilities (scheduled) #42

Workflow file for this run

name: Scan Images for Vulnerabilities (Trivy)
run-name: Scan ${{ inputs.version == '' && github.ref_name || inputs.version }} images for vulnerabilities ${{ github.event_name == 'schedule' && '(scheduled)' || '' }}
on:
schedule:
- cron: "0 7 * * 1" # Run every Monday at 7:00 AM UTC
workflow_dispatch:
inputs:
version:
description: "Version of Eraser to run Trivy scans against. Leave empty to scan images built from the branch the action is running against."
type: string
required: false
default: ""
upload-results:
description: "Upload results to Github Security?"
type: boolean
required: true
default: false
permissions: read-all
env:
# Scanning released versions require the project `eraser-dev` as part of the registry name.
REGISTRY: ghcr.io/${{ github.event.inputs.version == '' && 'eraser-test' || 'eraser-dev' }}
TAG: ${{ github.event.inputs.version == '' && 'test' || github.event.inputs.version }}
jobs:
scan_vulnerabilities:
name: Scan ${{ matrix.data.image }} for vulnerabilities
runs-on: ubuntu-latest
timeout-minutes: 15
strategy:
matrix:
data:
- {image: remover, build_cmd: docker-build-remover, repo_environment_var: REMOVER_REPO}
- {image: eraser-manager, build_cmd: docker-build-manager, repo_environment_var: MANAGER_REPO}
- {image: collector, build_cmd: docker-build-collector, repo_environment_var: COLLECTOR_REPO}
- {image: eraser-trivy-scanner, build_cmd: docker-build-trivy-scanner, repo_environment_var: TRIVY_SCANNER_REPO}
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- name: Check out code
if: github.event_name == 'schedule' || github.event.inputs.version == ''
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Build image
if: github.event_name == 'schedule' || github.event.inputs.version == ''
run: |
make ${{ matrix.data.build_cmd }} VERSION=${{ env.TAG }} ${{ matrix.data.repo_environment_var }}=${{ env.REGISTRY }}/${{ matrix.data.image }}
- name: Scan for vulnerabilities
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
with:
image-ref: ${{ env.REGISTRY }}/${{ matrix.data.image }}:${{ env.TAG }}
vuln-type: 'os,library'
ignore-unfixed: true
format: 'sarif'
output: ${{ matrix.data.image }}-results.sarif
- uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
with:
name: ${{ matrix.data.image }} Scan Results
path: ${{ matrix.data.image }}-results.sarif
overwrite: true
upload_vulnerabilities:
name: Upload ${{ matrix.image }} results to GitHub Security
runs-on: ubuntu-latest
needs: scan_vulnerabilities
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.event.inputs.upload-results == 'true')
permissions:
actions: read
contents: read
security-events: write
strategy:
matrix:
image: [remover, eraser-manager, collector, eraser-trivy-scanner]
steps:
- name: Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: ${{ matrix.image }} Scan Results
path: ${{ matrix.image }}-results.sarif
merge-multiple: true
- name: Upload results to GitHub Security
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v2.14.4
with:
sarif_file: ${{ matrix.image }}-results.sarif