shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-17 18:24:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
2aa91ae05c34d1db26cf2c7409a42c305e901b66
auricom-home-cluster/.github/workflows/scan-containers.yaml

73 lines
2.0 KiB
YAML
Raw Blame History

---
name: Scan Containers
on: # yamllint disable-line rule:truthy
pull_request:
branches:
- main
paths:
- "cluster/**.yaml"
- "ansible/**.yml.j2"
jobs:
detect-file-changes:
name: Detect File Changes
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: dorny/paths-filter@v2
id: filter
with:
list-files: json
filters: |
yaml:
- added|modified: "**.yaml"
- added|modified: "**.yml"
- added|modified: "**.yaml.j2"
- added|modified: "**.yml.j2"
outputs:
yaml_files: ${{ steps.filter.outputs.yaml_files }}
detect-containers:
name: Detect Containers
runs-on: ubuntu-latest
needs: detect-file-changes
strategy:
matrix:
file: ${{ fromJSON(needs.detect-file-changes.outputs.yaml_files) }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Jo
run: |
sudo apt-get install jo
- name: Detect Containers in Files
id: containers
run: |
containers=$(.github/scripts/container-parser.sh --file "${{ matrix.file }}")
echo "${containers}"
echo ::set-output name=containers::${containers}
outputs:
containers: ${{ steps.containers.outputs.containers }}
scan-containers:
name: Scan Containers
runs-on: ubuntu-latest
needs: detect-containers
strategy:
matrix: ${{ fromJSON(needs.detect-containers.outputs.containers) }}
fail-fast: false
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Scan Container
uses: aquasecurity/trivy-action@0.6.0
with:
image-ref: ${{ matrix.containers }}
vuln-type: os,library
severity: CRITICAL,HIGH
format: sarif
output: trivy-results.sarif
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif
Reference in New Issue View Git Blame Copy Permalink