41 lines
1.3 KiB
YAML
41 lines
1.3 KiB
YAML
name: Nightly Vulnerability Scan
|
|
|
|
on:
|
|
schedule:
|
|
# Schedule to run every night at midnight
|
|
- cron: '0 0 * * *'
|
|
|
|
jobs:
|
|
vulnerability-scan:
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v2
|
|
|
|
- name: Set up Grype
|
|
run: |
|
|
# Install Grype
|
|
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
|
|
|
|
- name: Get latest commit SHA of Kaniko project
|
|
id: get-commit
|
|
run: |
|
|
LATEST_COMMIT_SHA=$(git rev-parse HEAD)
|
|
echo "Latest commit SHA: $LATEST_COMMIT_SHA"
|
|
echo "::set-output name=sha::$LATEST_COMMIT_SHA"
|
|
|
|
- name: Scan the latest CI/CD image
|
|
run: |
|
|
IMAGE_ID="gcr.io/kaniko-project/executor:${{ steps.get-commit.outputs.sha }}"
|
|
echo "Scanning image $IMAGE_ID"
|
|
grype $IMAGE_ID > grype-output.txt
|
|
|
|
- name: Check for vulnerabilities and create an issue
|
|
run: |
|
|
if grep -q 'No vulnerabilities found' grype-output.txt; then
|
|
echo "No vulnerabilities found."
|
|
else
|
|
gh issue create --title "Vulnerabilities Found in Nightly Scan" --body "Vulnerabilities found in the latest image scan. Please check the attached report." --file grype-output.txt
|
|
fi
|