-
Notifications
You must be signed in to change notification settings - Fork 1
46 lines (41 loc) · 1.28 KB
/
trivy_periodic_image_scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
---
#
# This workflow scans the published container images
# for new vulnerabilities daily, publishing findings.
# Findings will be associated with the 'main' branch
# of the repo' in the GitHub Security tab.
#
name: Trivy Periodic Image Scan
on:
schedule:
- cron: "0 0 * * *"
jobs:
lower-case:
runs-on: ubuntu-latest
steps:
- name: Ensure image name is lower case
id: image_name
uses: vishalmamidi/lowercase-action@v1
with:
string: ghcr.io/${{ github.repository }}:main # if rebuilding for a new tag does not also rebuild 'main', then change this to scan the latest tag
outputs:
lowercase: ${{ steps.image_name.outputs.lowercase }}
periodic-scan:
needs: lower-case
uses: "./.github/workflows/trivy.yml"
with:
SOURCE_TYPE: image
IMAGE_NAME: ${{ needs.lower-case.outputs.lowercase }}
# If scan failed, rebuild the image
update-image:
needs: periodic-scan
runs-on: ubuntu-latest
if: ${{!cancelled() && needs.periodic-scan.outputs.trivy_conclusion == 'failure' }}
# tag the repo to trigger a new build
steps:
- name: Bump version and push tag
id: tag_version
uses: mathieudutour/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
...