⚗️ sarif and gh

Yoan Moscatelli · Yoan Moscatelli · commit 7d361754441a · 2025-03-17T15:27:14.000Z
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
@@ -0,0 +1,85 @@
+name: "nightly"
+run-name: "Nightly tests for ${{ github.ref_name }}"
+
+on:
+  schedule:
+    - cron: "22 0 * * *"  # Runs daily at 22:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  update-scanners:
+    runs-on: ubuntu-24.04
+    steps:
+
+      - name: Create github token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.ACTIONS_APP_ID }}
+          private-key: ${{ secrets.ACTIONS_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.12
+
+      - name: Install dependencies
+        run: pip install requests
+
+      - name: Update scanner versions
+        run: python .github/scripts/update_scanners.py
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        id: pr
+        with:
+          title: Dependency update
+          branch: feature/deps-update
+          delete-branch: true
+          commit-message: ":arrow_up: Update scanner versions"
+          token: ${{ steps.app-token.outputs.token }}
+
+  vuln-scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: ./
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Create SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          path: ./
+          format: cyclonedx-json
+          output-file: "${{ github.event.repository.name }}-sbom.cdx.json"
+
+      - name: Scan SBOM
+        uses: anchore/scan-action@v6
+        id: scan
+        with:
+          sbom: "${{ github.event.repository.name }}-sbom.cdx.json"
+          output-format: sarif
+          fail-build: false
+          add-cpes-if-none: true
+          by-cve: true
+
+      - name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -5,7 +5,7 @@ on:
 
 jobs:
   test-as-action:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         uses: actions/checkout@v4
diff --git a/.github/workflows/update_scanners.yml b/.github/workflows/update_scanners.yml
