name: report-on-vulnerabilities on: workflow_dispatch: {} schedule: - cron: '23 2 * * *' # Every day at 02:23 env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} jobs: scan: runs-on: ubuntu-20.04 permissions: contents: read outputs: results: ${{ steps.parse-results.outputs.results }} steps: - name: Scan for vulnerabilities uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0 (Trivy v0.34.0) with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest format: json ignore-unfixed: false severity: HIGH,CRITICAL output: scan.json - name: Parse scan results id: parse-results continue-on-error: true run: | VULNS=$(cat scan.json | jq '.Results[] | has("Vulnerabilities")') if echo $VULNS | grep -q 'true'; then echo "Vulnerabilities found, creating issue" echo "results=$(cat scan.json)" >> $GITHUB_OUTPUT else echo "No vulnerabilities found, halting" echo "results=nothing" >> $GITHUB_OUTPUT fi - name: Upload vulnerability scan report uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 if: contains(steps.parse-results.outputs.results, 'SchemaVersion') with: name: scan.json path: scan.json if-no-files-found: error open-issue: runs-on: ubuntu-latest if: contains(needs.scan.outputs.results, 'SchemaVersion') needs: scan steps: - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - name: Download scan uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0 with: name: scan.json - name: Set scan output id: set-scan-output run: echo "results=$(cat scan.json)" >> $GITHUB_OUTPUT - uses: JasonEtco/create-an-issue@1a16035489d05041b9af40b970f02e301c52ffba # v2.8.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RESULTS: ${{ steps.set-scan-output.outputs.results }} with: filename: .github/VULN_TEMPLATE.md