Skip to content

Create malware.yml

Create malware.yml #1

Workflow file for this run

name: malware-scanner
on:
push:
branches:
- "*"
pull_request:
branches:
- "*"
jobs:
malware-scanner:
runs-on: ubuntu-latest
env:
GROUP: demo
COMMIT: ${{ github.sha }}
REPO: infra-mon
DEEPFENCE_CONSOLE_URL: ${{secrets.DEEPFENCE_URL}}
DEEPFENCE_KEY: ${{secrets.DEEPFENCE_KEY}}
steps:
- uses: actions/checkout@v4
# Run Deepfence Malware Scanner to check for malwares in image
- name: Run Deepfence Malware Scanner
env:
DEEPFENCE_CONSOLE_URL: ${{ env.DEEPFENCE_CONSOLE_URL }}
DEEPFENCE_KEY: ${{ env.DEEPFENCE_KEY }}
FULL_IMAGE_NAME: ${{ env.GROUP }}/${{ env.REPO }}:${{ github.sha }}
NGINX: "nginx:latest"
FAIL_MALWARE_COUNT: 100 # Fail build if number of malwares found is >= this number. Set -1 to pass regardless of malwares.
FAIL_HIGH_MALWARE_COUNT: 10 # Fail build if number of high malwares found is >= this number. Set -1 to pass regardless of high malwares.
FAIL_MEDIUM_MALWARE_COUNT: 20 # Fail build if number of medium malwares found is >= this number. Set -1 to pass regardless of medium malwares.
FAIL_LOW_MALWARE_COUNT: 50 # Fail build if number of low malwares found is >= this number. Set -1 to pass regardless of low malwares.
run: |
docker pull deepfenceio/deepfence_malware_scanner_ce:2.1.1
docker run -i --rm --net=host --privileged=true \
--cpus=0.3 \
-v /var/run/docker.sock:/var/run/docker.sock:rw deepfenceio/deepfence_malware_scanner_ce:2.1.1 \
-image-name "$NGINX" \
-fail-on-count=$FAIL_MALWARE_COUNT \
-fail-on-high-count=$FAIL_HIGH_MALWARE_COUNT \
-fail-on-medium-count=$FAIL_MEDIUM_MALWARE_COUNT -\
fail-on-low-count=$FAIL_LOW_MALWARE_COUNT