Skip to content

Scheduled Trivy Scan #77

Scheduled Trivy Scan

Scheduled Trivy Scan #77

Workflow file for this run

name: Scheduled Trivy Scan
on:
workflow_dispatch:
schedule:
- cron: "0 10 * * 1"
jobs:
trivy:
if: ${{ github.repository_owner == 'nrkno' }}
name: Trivy scan
runs-on: ubuntu-latest
strategy:
matrix:
image: ["server-core", "playout-gateway", "mos-gateway"]
timeout-minutes: 15
steps:
- name: Run Trivy vulnerability scanner (json)
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ghcr.io/nrkno/sofie-core-${{ matrix.image }}:latest
format: json
output: "${{ matrix.image }}-trivy-scan-results.json"
- name: Run Trivy vulnerability scanner (table)
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ghcr.io/nrkno/sofie-core-${{ matrix.image }}:latest
output: "${{ matrix.image }}-trivy-scan-results.txt"
- name: Post all scan results to Github Summary as a table
env:
CODE_BLOCK: "```"
run: |
echo "# Trivy scan results ~ sofie-core-${{ matrix.image}}:latest" >> $GITHUB_STEP_SUMMARY
echo $CODE_BLOCK >> $GITHUB_STEP_SUMMARY
cat ${{ matrix.image }}-trivy-scan-results.txt >> $GITHUB_STEP_SUMMARY
echo $CODE_BLOCK >> $GITHUB_STEP_SUMMARY
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
with:
format: "github"
output: "dependency-results-${{ matrix.image }}.sbom.json"
image-ref: ghcr.io/nrkno/sofie-core-${{ matrix.image }}:latest
github-pat: ${{ secrets.GITHUB_TOKEN }}
- name: Create summary of Trivy issues
run: |
summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' ${{ matrix.image }}-trivy-scan-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
if [ -z "$summary" ]
then
summary="0 Issues"
fi
echo "SUMMARY=$summary" >> $GITHUB_ENV
echo ${{ env.SUMMARY }}
- name: Send Slack Notification
uses: slackapi/[email protected]
with:
webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
webhook-type: incoming-webhook
payload: |
text: "Trivy scan results"
blocks:
- type: "header"
text:
type: "plain_text"
text: "Trivy scan results for sofie-core-${{ matrix.image }}:latest"
- type: "section"
text:
type: "mrkdwn"
text: ":thisisfine: ${{ env.SUMMARY }}"
- type: "section"
text:
type: "mrkdwn"
text: "Read the full scan results on Github"
accessory:
type: "button"
text:
type: "plain_text"
text: ":github: Scan results"
emoji: true
value: "workflow_run"
url: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
action_id: "button-action"