NIGHTLY-SCAN #1611
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: NIGHTLY-SCAN | |
| on: | |
| schedule: | |
| - cron: '0 1 * * *' | |
| jobs: | |
| get-matrix-values: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image: ${{ steps.set-var.outputs.image }} | |
| steps: | |
| - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | |
| - id: set-var | |
| run: | | |
| echo 'image<<EOF' >> $GITHUB_OUTPUT | |
| cat ./image-matrix.json >> $GITHUB_OUTPUT | |
| echo 'EOF' >> $GITHUB_OUTPUT | |
| anchore-scan: | |
| runs-on: ubuntu-latest | |
| needs: get-matrix-values | |
| strategy: | |
| matrix: | |
| image: ${{fromJSON(needs.get-matrix-values.outputs.image)}} | |
| steps: | |
| - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | |
| - name: Set job environment variables | |
| run: cat JOB.env >> $GITHUB_ENV | |
| - name: Run Anchore Grype scan | |
| id: grype-scan | |
| uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6 | |
| with: | |
| image: defradigital/${{env.IMAGE_NAME}}:${{env.DEFRA_VERSION}}-node${{matrix.image.nodeVersion}} | |
| fail-build: true | |
| severity-cutoff: "medium" | |
| continue-on-error: true | |
| - name: Run Aqua Trivy scan | |
| id: trivy-scan | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 | |
| with: | |
| image-ref: defradigital/${{env.IMAGE_NAME}}:${{env.DEFRA_VERSION}}-node${{matrix.image.nodeVersion}} | |
| format: sarif | |
| output: trivy-reports-node-${{ matrix.image.nodeVersion }} | |
| exit-code: 1 | |
| vuln-type: os,library | |
| severity: CRITICAL,HIGH,MEDIUM | |
| continue-on-error: true | |
| - name: Upload Grype SARIF report | |
| if: ${{ steps.grype-scan.outcome == 'failure' }} | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: grype-reports-node-${{ matrix.image.nodeVersion }} | |
| path: ${{ steps.grype-scan.outputs.sarif }} | |
| - name: Upload Trivy SARIF report | |
| if: ${{ steps.trivy-scan.outcome == 'failure' }} | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: trivy-reports-node-${{ matrix.image.nodeVersion }} | |
| path: trivy-reports-node-${{ matrix.image.nodeVersion }} | |
| - name: Fail build if scans failed | |
| if: ${{ (steps.grype-scan.outcome == 'failure' || steps.trivy-scan.outcome == 'failure') }} | |
| run: | | |
| echo "One or more scans failed. Failing the build." | |
| exit 1 |