forked from hyperledger/besu
-
Notifications
You must be signed in to change notification settings - Fork 1
47 lines (41 loc) · 1.37 KB
/
container-security-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
name: container security scan
on:
workflow_dispatch:
inputs:
tag:
description: 'Container image tag'
required: false
default: 'develop'
schedule:
# Start of the hour is the busy time. Schedule it to run 8:17am UTC
- cron: '17 8 * * *'
jobs:
scan-sarif:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
# Shell parameter expansion does not support directly on a step
# Adding a separate step to set the image tag. This allows running
# this workflow with a schedule as well as manual
- name: Set image tag
id: tag
run: |
echo "TAG=${INPUT_TAG:-develop}" >> "$GITHUB_OUTPUT"
env:
INPUT_TAG: ${{ inputs.tag }}
- name: Vulnerability scanner
id: trivy
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d
with:
image-ref: hyperledger/besu:${{ steps.tag.outputs.TAG }}
format: sarif
output: 'trivy-results.sarif'
# Check the vulnerabilities via GitHub security tab
- name: Upload results
uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251
with:
sarif_file: 'trivy-results.sarif'