github actions: run daily trivy security scans on release docker imag…

…e and composer/yarn dependencies
nodiscc · Nov 23, 2023 · 6c1e4d6 · 6c1e4d6
1 parent 8d65cd6
commit 6c1e4d6
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 0 deletions.
diff --git a/.github/workflows/trivy-release.yml b/.github/workflows/trivy-release.yml
@@ -0,0 +1,26 @@
+name: trivy security scans (release)
+on:
+ schedule:
+ #- cron: '0 17 * * 1'
+ - cron: '32 * * * *'
+ workflow_dispatch:
+
+jobs:
+ trivy-repo:
+ runs-on: ubuntu-latest
+ name: trivy scan (release composer/yarn dependencies)
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ with:
+ ref: release
+ - name: Run trivy scanner on repository
+ run: make test_trivy_repo TRIVY_TARGET_BRANCH=release TRIVY_EXIT_CODE=1
+ trivy-docker:
+ runs-on: ubuntu-latest
+ name: trivy scan (release docker image)
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Run trivy scanner on release docker image
+ run: make test_trivy_docker TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:release
diff --git a/Makefile b/Makefile
@@ -199,6 +199,8 @@ TRIVY_VERSION=0.44.0
 TRIVY_EXIT_CODE=1
 # default docker image to scan with trivy
 TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest
+# branch on which test_trivy_repo should be run. leave undefined for the current branch
+#TRIVY_TARGET_BRANCH=release
 
 ### download trivy vulneravbility scanner
 download_trivy:
@@ -211,5 +213,9 @@ test_trivy_docker: download_trivy
 
 ### run trivy vulnerability scanner on composer/yarn dependency trees
 test_trivy_repo: download_trivy
+ifdef TRIVY_TARGET_BRANCH
+ git checkout $(TRIVY_TARGET_BRANCH) composer.lock
+ git checkout $(TRIVY_TARGET_BRANCH) yarn.lock
+endif
  ./trivy --exit-code $(TRIVY_EXIT_CODE) fs composer.lock
  ./trivy --exit-code $(TRIVY_EXIT_CODE) fs yarn.lock