diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 00000000..fdb7ac6f --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,61 @@ +name: Trivy + +on: + schedule: + - cron: '0 10 * * *' + +jobs: + list-branches-to-scan: + runs-on: ubuntu-latest + outputs: + branches: ${{ steps.branches.outputs.branches }} + steps: + - name: Checking out repo + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: List branches to scan + id: branches + run: | + # regex matches branches like + # origin/1.28 + # origin/v1.1 + # origin/release-1.30 + # origin/main + BRANCHES=$(git branch -r | grep -E '^ origin\/(((v|release-)?[0-9]+.[0-9]+)|main)$' | \ + sed -e 's#^ origin/##' | jq -R -s -c 'split("\n")[:-1]') + echo "branches=$(echo $BRANCHES)" >> $GITHUB_OUTPUT + scan: + runs-on: ubuntu-latest + needs: list-branches-to-scan + strategy: + matrix: + branch: ${{ fromJson(needs.list-branches-to-scan.outputs.branches) }} + permissions: + security-events: write + steps: + - name: Checking out repo + uses: actions/checkout@v4 + with: + ref: ${{ matrix.branch }} + fetch-depth: 0 + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: "fs" + ignore-unfixed: true + format: "sarif" + output: "output.sarif" + severity: "MEDIUM,HIGH,CRITICAL" + env: + TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db" + - name: Get commit sha + run: | + SHA="$(git rev-parse HEAD)" + echo "head_sha=$SHA" >> "$GITHUB_ENV" + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "output.sarif" + sha: ${{ env.head_sha }} + ref: refs/heads/${{ matrix.branch }}