--- name: Scan Containers on: # yamllint disable-line rule:truthy pull_request: branches: - main paths: - "cluster/**.yaml" - "ansible/**.yml.j2" jobs: detect-file-changes: name: Detect File Changes runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: dorny/paths-filter@v2 id: filter with: list-files: json filters: | yaml: - added|modified: "**.yaml" - added|modified: "**.yml" - added|modified: "**.yaml.j2" - added|modified: "**.yml.j2" outputs: yaml_files: ${{ steps.filter.outputs.yaml_files }} detect-containers: name: Detect Containers runs-on: ubuntu-latest needs: detect-file-changes strategy: matrix: file: ${{ fromJSON(needs.detect-file-changes.outputs.yaml_files) }} steps: - name: Checkout uses: actions/checkout@v3 - name: Install Jo run: | sudo apt-get install jo - name: Detect Containers in Files id: containers run: | containers=$(.github/scripts/container-parser.sh --file "${{ matrix.file }}") echo "${containers}" echo ::set-output name=containers::${containers} outputs: containers: ${{ steps.containers.outputs.containers }} scan-containers: name: Scan Containers runs-on: ubuntu-latest needs: detect-containers strategy: matrix: ${{ fromJSON(needs.detect-containers.outputs.containers) }} fail-fast: false steps: - name: Checkout uses: actions/checkout@v3 - name: Scan Container uses: aquasecurity/trivy-action@0.6.0 with: image-ref: ${{ matrix.containers }} vuln-type: os,library severity: CRITICAL,HIGH format: sarif output: trivy-results.sarif - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: sarif_file: trivy-results.sarif