From ca1a760d3e3e757d4d36fffa03034cf7dc9f3b84 Mon Sep 17 00:00:00 2001 From: Jack Warren Date: Thu, 25 Jul 2024 15:03:22 -0400 Subject: [PATCH] [DDO-3793] Weekly Container Scan (#612) --- .../workflows/sherlock-container-scan.yaml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/sherlock-container-scan.yaml diff --git a/.github/workflows/sherlock-container-scan.yaml b/.github/workflows/sherlock-container-scan.yaml new file mode 100644 index 000000000..e15f4fc25 --- /dev/null +++ b/.github/workflows/sherlock-container-scan.yaml @@ -0,0 +1,47 @@ +name: Standalone Sherlock Trivy Scan +on: + workflow_dispatch: + inputs: + tag: + description: 'Tag to scan' + required: false + type: string + default: 'latest' + schedule: + - cron: '0 0 * * 0' + +jobs: + scan: + runs-on: ubuntu-latest + permissions: + id-token: write + steps: + - name: Auth to GCP + id: auth + uses: google-github-actions/auth@v2 + with: + token_format: access_token + workload_identity_provider: projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider + service_account: dsp-artifact-registry-push@dsp-artifact-registry.iam.gserviceaccount.com + + - name: Login to GAR + uses: docker/login-action@v3 + with: + registry: us-central1-docker.pkg.dev + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: Run Trivy vulnerability scanner + uses: broadinstitute/dsp-appsec-trivy-action@v1 + with: + # sherlock-build.yaml pushes to both normal GAR and super-prod GAR. It pushes the same image. We pull + # from the normal one here so that we don't need to pull from the more private and secure one for this + # technically-non-prod usage. + image: us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock:${{ inputs.tag || 'latest' }} + + report-workflow: + uses: ./.github/workflows/client-report-workflow.yaml + with: + notify-slack-channels-upon-workflow-failure: "#trivy-weekly-scans-notblessedimages" + permissions: + id-token: write