Weekly Linux Vulnerability Scan #36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Weekly Linux Vulnerability Scan | |
| on: | |
| schedule: | |
| - cron: '0 0 * * 0' # Run at midnight every Sunday | |
| workflow_dispatch: # Allow manual triggering | |
| jobs: | |
| linux-vulnerability-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 5 | |
| - name: Show history for debug help | |
| run: | | |
| git log --oneline -n 5 | |
| - name: Build Docker image | |
| id: build-image | |
| run: | | |
| source ./scripts/build.sh | |
| # Build the amd64 binary | |
| build_binary_GOOS_GOARCH linux amd64 | |
| # Build the container image for amd64 | |
| gen_dockerfile_for_os_arch linux amd64 | |
| build_container_dockerfile_arch build/linux/amd64/Dockerfile amd64 | |
| # Export the image tag using the IMAGE_VERSION variable already set in build_funcs.sh | |
| echo "image_version=$IMAGE_VERSION" >> $GITHUB_OUTPUT | |
| - name: Run vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: sonobuoy/sonobuoy:amd64-${{ steps.build-image.outputs.image_version }} | |
| format: 'table' | |
| exit-code: '1' | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH,MEDIUM' |