You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
|
name: container security scan
|
|
|
|
|
|
|
|
on:
|
|
|
|
workflow_dispatch:
|
|
|
|
inputs:
|
|
|
|
tag:
|
|
|
|
description: 'Container image tag'
|
|
|
|
required: false
|
|
|
|
default: 'develop'
|
|
|
|
schedule:
|
|
|
|
# Start of the hour is the busy time. Scheule it to run 8:17am UTC
|
|
|
|
- cron: '17 8 * * *'
|
|
|
|
|
|
|
|
jobs:
|
|
|
|
scan-sarif:
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
|
|
|
steps:
|
|
|
|
- name: Checkout
|
|
|
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
|
|
|
|
|
|
|
|
# Shell parameter expansion does not support directly on a step
|
|
|
|
# Adding a separate step to set the image tag. This allows running
|
|
|
|
# this workflow with a schedule as well as manual
|
|
|
|
- name: Set image tag
|
|
|
|
id: tag
|
|
|
|
run: |
|
|
|
|
echo "TAG=${INPUT_TAG:-develop}" >> "$GITHUB_OUTPUT"
|
|
|
|
env:
|
|
|
|
INPUT_TAG: ${{ inputs.tag }}
|
|
|
|
|
|
|
|
- name: Vulnerability scanner
|
|
|
|
id: trivy
|
|
|
|
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d
|
|
|
|
with:
|
|
|
|
image-ref: hyperledger/besu:${{ steps.tag.outputs.TAG }}
|
|
|
|
format: sarif
|
|
|
|
output: 'trivy-results.sarif'
|
|
|
|
|
|
|
|
# Check the vulnerabilities via GitHub security tab
|
|
|
|
- name: Upload results
|
|
|
|
uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251
|
|
|
|
with:
|
|
|
|
sarif_file: 'trivy-results.sarif'
|