name: Nightly Vulnerability Scan

on:
  schedule:
    # Schedule to run every night at midnight
    - cron: '0 0 * * *'

jobs:
  vulnerability-scan:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Set up Grype
        run: |
          # Install Grype
          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

      - name: Get latest commit SHA of Kaniko project
        id: get-commit
        run: |
          LATEST_COMMIT_SHA=$(git rev-parse HEAD)
          echo "Latest commit SHA: $LATEST_COMMIT_SHA"
          echo "::set-output name=sha::$LATEST_COMMIT_SHA"

      - name: Scan the latest CI/CD image
        run: |
          IMAGE_ID="gcr.io/kaniko-project/executor:${{ steps.get-commit.outputs.sha }}"
          echo "Scanning image $IMAGE_ID"
          grype $IMAGE_ID > grype-output.txt

      - name: Check for vulnerabilities and create an issue
        run: |
          if grep -q 'No vulnerabilities found' grype-output.txt; then
            echo "No vulnerabilities found."
          else
            gh issue create --title "Vulnerabilities Found in Nightly Scan" --body "Vulnerabilities found in the latest image scan. Please check the attached report." --body-file grype-output.txt
          fi