Skip to content

Trivy Periodic Image Scan #154

Trivy Periodic Image Scan

Trivy Periodic Image Scan #154

---
#
# This workflow scans the published container images
# for new vulnerabilities daily, publishing findings.
# Findings will be associated with the 'main' branch
# of the repo' in the GitHub Security tab.
#
name: Trivy Periodic Image Scan
on:
schedule:
# - cron: "0 0 * * *" daily
- cron: "0 * * * *" # hourly
jobs:
get-image-reference:
runs-on: ubuntu-latest
steps:
- name: Get image reference
id: image_ref
run: |
repo_name=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]')
basic_creds=$(echo "dummy-user-name:${{ github.token }}" | base64)
bearer_token=$(curl -H "Authorization: Basic ${basic_creds}" https://ghcr.io/token?service=ghcr.io&scope=${repo_name}:pull | jq -r '.token' )
last_tag=$(curl -H "Authorization: Bearer ${bearer_token}" "https://ghcr.io/v2/${repo_name}/tags/list?page_size=1000" | jq -r '.tags[-1]' )
echo "repo_name=$repo_name" >> $GITHUB_ENV
echo "last_tag=$last_tag" >> $GITHUB_ENV
outputs:
image_reference: ghcr.io/${{ env.repo_name }}:${{ env.last_tag }}
periodic-scan:
needs: get-image-reference
uses: "./.github/workflows/trivy.yml"
with:
SOURCE_TYPE: image
IMAGE_NAME: ${{ needs.get-image-reference.outputs.image_reference }}
# If scan failed, rebuild the image
update-image:
needs: periodic-scan
runs-on: ubuntu-latest
if: ${{!cancelled() && needs.periodic-scan.outputs.trivy_conclusion == 'failure' }}
# tag the repo to trigger a new build
steps:
- name: Bump version and push tag
id: tag_version
uses: mathieudutour/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
...