Move Nancy scan to a periodic job (#10725)

Signed-off-by: Lavish pal <lvishpal408@gmail.com>
2024-12-14 11:57:48 +00:00 · 2024-07-31 14:02:29 +05:30 · 2024-07-31 14:02:29 +05:30 · 7efb8a7c65
commit 7efb8a7c65
parent c9103a11bb
1 changed files with 51 additions and 12 deletions
--- a/.github/workflows/nancy.yaml
+++ b/.github/workflows/nancy.yaml
@ -5,22 +5,17 @@ name: Nancy
 permissions: {}

 on:
-  push:
-    branches:
-      - '*'
-  pull_request:
-    branches:
-      - 'main'
-      - 'release*'
+  workflow_dispatch:
+  schedule:
+    - cron: '23 2 * * *' # Every day at 02:23 UTC
+
+    

-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true

 jobs:
-  nancy:
+  nancy-scan:
    runs-on: ubuntu-latest
-    name: Nancy
+    name: nancy-scan
    steps:
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@ -35,3 +30,47 @@ jobs:
        run: go list -json -deps ./... > go.list
      - name: Nancy SAST Scan
        uses: sonatype-nexus-community/nancy-github-action@726e338312e68ecdd4b4195765f174d3b3ce1533 # v1.0.3
+        with:
+          output_format: json
+          output-file: nancy-results.json
+      - name: Parse scan results
+        id: parse-results
+        run: |
+          if [ -s nancy-results.json ]; then
+            echo "Vulnerabilities found, creating issue"
+            echo "results=found" >> $GITHUB_OUTPUT
+          else
+            echo "No vulnerabilities found, halting"
+            echo "results=nothing" >> $GITHUB_OUTPUT
+          fi
+      - name: Upload vulnerability scan report
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        if: steps.parse-results.outputs.results == 'found'
+        with:
+          name: nancy-results.json
+          path: nancy-results.json
+          if-no-files-found: error
+
+  open-issue:
+    runs-on: ubuntu-latest
+    if: needs.nancy-scan.result == 'success'
+    needs: nancy-scan
+    permissions:
+      issues: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: Download scan results
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: nancy-results.json
+      - name: Set scan output
+        id: set-scan-output
+        run: echo "results=$(cat nancy-results.json | jq -c)" >> $GITHUB_OUTPUT
+      - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RESULTS: ${{ steps.set-scan-output.outputs.results }}
+        with:
+          filename: .github/ISSUE_TEMPLATE/VULN-TEMPLATE.md
+