memcached-rock/.github/workflows/cve-scan.yaml at 0cb33c131f077cd91f45d9bb3c88c4a8dd8bbbe0 · canonical/memcached-rock · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
name: Scan CVEs dispatch

on:
  workflow_dispatch:
  schedule:
    - cron: "0 1 * * *"

jobs:

  read-config:
    runs-on: ubuntu-latest
    outputs:
      ghcr-scanning: ${{ steps.read-ci-config.outputs.ghcr-cve-scan }}
      build-matrix: ${{ steps.read-ci-config.outputs.build-matrix }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v5

      - name: Read .github/ci.yaml
        id: read-ci-config
        uses: canonical/rocks-template-actions/actions/read-ci-config@v1

  run-scan:
    name: Run scan for released images
    needs: [read-config]
    uses: canonical/oci-factory/.github/workflows/Vulnerability-Scan.yaml@main
    strategy:
      matrix: ${{ fromJson(needs.read-config.outputs.build-matrix) }}
    with:
      oci-image-name: ghcr.io/${{ github.repository }}/${{ matrix.name }}:${{ matrix.tag }}
      create-issue: true
      trivyignore-path: ${{ matrix.directory }}/.trivyignore
    permissions:
      contents: read
      packages: read