name: report-on-vulnerabilities on: workflow_dispatch: {} schedule: - cron: '23 2 * * *' # Every day at 02:23 env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} jobs: scan: runs-on: ubuntu-20.04 permissions: contents: read outputs: results: ${{ steps.parse-results.outputs.results }} steps: - name: Scan for vulnerabilities uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0 (Trivy v0.34.0) with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest format: json ignore-unfixed: false severity: HIGH,CRITICAL output: scan.json - name: Parse scan results id: parse-results continue-on-error: true run: | VULNS=$(cat scan.json | jq '.Results[] | has("Vulnerabilities")') if echo $VULNS | grep -q 'true'; then echo "Vulnerabilities found, creating issue" echo "results=$(cat scan.json)" >> $GITHUB_OUTPUT else echo "No vulnerabilities found, halting" echo "results=nothing" >> $GITHUB_OUTPUT fi - name: Upload vulnerability scan report uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 if: contains(steps.parse-results.outputs.results, 'SchemaVersion') with: name: scan.json path: scan.json if-no-files-found: error open-issue: runs-on: ubuntu-latest if: contains(needs.scan.outputs.results, 'SchemaVersion') needs: scan steps: - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - name: Download scan uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 with: name: scan.json - name: Set scan output id: set-scan-output run: echo "results=$(cat scan.json)" >> $GITHUB_OUTPUT - uses: JasonEtco/create-an-issue@77399b6110ef82b94c1c9f9f615acf9e604f7f56 # v2.8.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RESULTS: ${{ steps.set-scan-output.outputs.results }} with: filename: .github/VULN_TEMPLATE.md