Nightly Scan #100
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Nightly Scan | |
on: | |
workflow_dispatch: | |
inputs: | |
schedule: | |
- cron: "0 5 * * *" # UTC | |
env: | |
REGISTRY: ghcr.io | |
jobs: | |
nightly-scan-branch: | |
name: Publish | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
id-token: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
lfs: true | |
- name: Log into registry ${{env.REGISTRY}} | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ${{env.REGISTRY}} | |
username: ${{github.actor}} | |
password: ${{secrets.GITHUB_TOKEN}} | |
- name: Set Image name | |
run: | | |
echo IMAGE_NAME="ghcr.io/nirmata/kyverno-notation-aws:latest" >> $GITHUB_ENV | |
- name: Scan image using grype | |
id: grype-scan | |
uses: anchore/scan-action@v4 | |
with: | |
image: ${{ env.IMAGE_NAME }} | |
severity-cutoff: low | |
fail-build: true | |
- name: Scan image using trivy | |
uses: aquasecurity/trivy-action@master | |
id: trivy-scan | |
with: | |
image-ref: ${{ env.IMAGE_NAME }} | |
format: 'json' | |
output: 'trivy-scan.json' | |
exit-code: '1' | |
- name: Convert trivy json file to tabular form | |
uses: aquasecurity/[email protected] | |
if: always() && steps.trivy-scan.conclusion == 'failure' | |
with: | |
scan-type: convert | |
vuln-type: "" | |
image-ref: trivy-scan.json | |
format: table | |
output: trivy-scan.txt | |
- name: Cat trivy/grype scan file if status == failure | |
if: always() && (steps.trivy-scan.conclusion == 'failure' || steps.grype-scan.conclusion == 'failure') | |
shell: bash | |
run: | | |
echo "====trivy-scan-txt====" | |
[ -s "trivy-scan.txt" ] && cat trivy-scan.txt | |
echo "====trivy-scan-json====" | |
[ -s "trivy-scan-json" ] && cat trivy-scan-json | |
echo "====grype-scan====" | |
cat ${{ steps.grype-scan.outputs.sarif }} | |
exit 1 |