mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 20:20:22 +00:00
Move Nancy scan to a periodic job (#10725)
Signed-off-by: Lavish pal <lvishpal408@gmail.com>
This commit is contained in:
parent
c9103a11bb
commit
7efb8a7c65
1 changed files with 51 additions and 12 deletions
63
.github/workflows/nancy.yaml
vendored
63
.github/workflows/nancy.yaml
vendored
|
@ -5,22 +5,17 @@ name: Nancy
|
||||||
permissions: {}
|
permissions: {}
|
||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
workflow_dispatch:
|
||||||
branches:
|
schedule:
|
||||||
- '*'
|
- cron: '23 2 * * *' # Every day at 02:23 UTC
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- 'main'
|
|
||||||
- 'release*'
|
|
||||||
|
|
||||||
concurrency:
|
|
||||||
group: ${{ github.workflow }}-${{ github.ref }}
|
|
||||||
cancel-in-progress: true
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
nancy:
|
nancy-scan:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
name: Nancy
|
name: nancy-scan
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
|
@ -35,3 +30,47 @@ jobs:
|
||||||
run: go list -json -deps ./... > go.list
|
run: go list -json -deps ./... > go.list
|
||||||
- name: Nancy SAST Scan
|
- name: Nancy SAST Scan
|
||||||
uses: sonatype-nexus-community/nancy-github-action@726e338312e68ecdd4b4195765f174d3b3ce1533 # v1.0.3
|
uses: sonatype-nexus-community/nancy-github-action@726e338312e68ecdd4b4195765f174d3b3ce1533 # v1.0.3
|
||||||
|
with:
|
||||||
|
output_format: json
|
||||||
|
output-file: nancy-results.json
|
||||||
|
- name: Parse scan results
|
||||||
|
id: parse-results
|
||||||
|
run: |
|
||||||
|
if [ -s nancy-results.json ]; then
|
||||||
|
echo "Vulnerabilities found, creating issue"
|
||||||
|
echo "results=found" >> $GITHUB_OUTPUT
|
||||||
|
else
|
||||||
|
echo "No vulnerabilities found, halting"
|
||||||
|
echo "results=nothing" >> $GITHUB_OUTPUT
|
||||||
|
fi
|
||||||
|
- name: Upload vulnerability scan report
|
||||||
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||||
|
if: steps.parse-results.outputs.results == 'found'
|
||||||
|
with:
|
||||||
|
name: nancy-results.json
|
||||||
|
path: nancy-results.json
|
||||||
|
if-no-files-found: error
|
||||||
|
|
||||||
|
open-issue:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
if: needs.nancy-scan.result == 'success'
|
||||||
|
needs: nancy-scan
|
||||||
|
permissions:
|
||||||
|
issues: write
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
|
||||||
|
- name: Download scan results
|
||||||
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
|
with:
|
||||||
|
name: nancy-results.json
|
||||||
|
- name: Set scan output
|
||||||
|
id: set-scan-output
|
||||||
|
run: echo "results=$(cat nancy-results.json | jq -c)" >> $GITHUB_OUTPUT
|
||||||
|
- uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
RESULTS: ${{ steps.set-scan-output.outputs.results }}
|
||||||
|
with:
|
||||||
|
filename: .github/ISSUE_TEMPLATE/VULN-TEMPLATE.md
|
||||||
|
|
Loading…
Add table
Reference in a new issue