WIP: run trivy security scans on release docker image/composer depend…

…encies

.github/workflows/trivy-release.yml

@@ -0,0 +1,24 @@
+name: trivy security scans (release)
+on:
+ schedule:
+ #- cron: '0 17 * * 1'
+ - cron: '10 * * * 1'
+ workflow_dispatch:
+
+jobs:
+ trivy-repo:
+ runs-on: ubuntu-latest
+ name: trivy scan (release composer dependencies)
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Run trivy scanner on repository
+ run: make test_trivy_repo
+ trivy-docker:
+ runs-on: ubuntu-latest
+ name: trivy scan (release docker image)
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Run trivy scanner on release docker image
+ run: make test_trivy_docker TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:release

Makefile

@@ -209,7 +209,6 @@ download_trivy:
 test_trivy_docker: download_trivy
  ./trivy --exit-code $(TRIVY_EXIT_CODE) image $(TRIVY_TARGET_DOCKER_IMAGE)
 
-### run trivy vulnerability scanner on composer/yarn dependency trees
+### run trivy vulnerability scanner on composer dependency tree
 test_trivy_repo: download_trivy
  ./trivy --exit-code $(TRIVY_EXIT_CODE) fs composer.lock
- ./trivy --exit-code $(TRIVY_EXIT_CODE) fs yarn.lock