Skip to content

Nightly Scan

Nightly Scan #163

Workflow file for this run

name: Nightly Scan
on:
workflow_dispatch:
inputs:
schedule:
- cron: "0 5 * * *" # UTC
env:
REGISTRY: ghcr.io
jobs:
nightly-scan-branch:
name: Publish
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
lfs: true
- name: Log into registry ${{env.REGISTRY}}
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{env.REGISTRY}}
username: ${{github.actor}}
password: ${{secrets.GITHUB_TOKEN}}
- name: Set Image name
run: |
echo IMAGE_NAME="ghcr.io/nirmata/kyverno-notation-aws:latest" >> $GITHUB_ENV
- name: Scan image using grype
id: grype-scan
uses: anchore/scan-action@v4
with:
image: ${{ env.IMAGE_NAME }}
severity-cutoff: low
fail-build: true
- name: Scan image using trivy
uses: aquasecurity/trivy-action@master
id: trivy-scan
with:
image-ref: ${{ env.IMAGE_NAME }}
format: 'json'
output: 'trivy-scan.json'
exit-code: '1'
- name: Convert trivy json file to tabular form
uses: aquasecurity/trivy-action@0.24.0
if: always() && steps.trivy-scan.conclusion == 'failure'
with:
scan-type: convert
vuln-type: ""
image-ref: trivy-scan.json
format: table
output: trivy-scan.txt
- name: Cat trivy/grype scan file if status == failure
if: always() && (steps.trivy-scan.conclusion == 'failure' || steps.grype-scan.conclusion == 'failure')
shell: bash
run: |
echo "====trivy-scan-txt===="
[ -s "trivy-scan.txt" ] && cat trivy-scan.txt
echo "====trivy-scan-json===="
[ -s "trivy-scan-json" ] && cat trivy-scan-json
echo "====grype-scan===="
cat ${{ steps.grype-scan.outputs.sarif }}
exit 1
- name: Notify failure status
if: always() && (job.status == 'failure')
uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 #v2.3.2
env:
SLACK_CHANNEL: cve-nightly-scan-alerts
SLACK_COLOR: ${{ job.status }}
SLACK_ICON: https://cdn-icons-png.flaticon.com/512/25/25231.png
SLACK_MESSAGE: Repository - ${{github.repository}} - main Environment - nightly-scan
SLACK_TITLE: CVE discovered
SLACK_USERNAME: Github Actions
SLACK_WEBHOOK: ${{ secrets.NIGHTLY_SCAN_WEBHOOK }}