-
Notifications
You must be signed in to change notification settings - Fork 1
57 lines (49 loc) · 1.83 KB
/
weekly_vuln_scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: Vulnerability_Scan_Latest
on:
schedule:
- cron: "0 14 * * 1" # Works on each Monday 14:00 UTC
workflow_dispatch:
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
latest_tags: ${{ steps.set_output.outputs.latest_tags }}
steps:
- name: Checkout Repository
uses: actions/checkout@v3
- name: Fetch Tags
id: fetch_tags
run: |
echo "Fetching tags from Docker Hub..."
# Example command, replace with actual command to fetch tags
echo "::set-output name=tags::v2.0.0,v1.1.2,v1.1.1,v1.1.0,v1.0.1,v1.0.0"
- name: Determine Latest Tags
id: set_output
run: |
TAGS="${{ steps.fetch_tags.outputs.tags }}"
IFS=',' read -r -a tag_array <<< "$TAGS"
declare -A latest_versions
for tag in "${tag_array[@]}"; do
version="${tag//v/}"
major=$(echo "$version" | cut -d'.' -f1)
minor=$(echo "$version" | cut -d'.' -f2)
key="${major}.${minor}"
if [[ -z "${latest_versions[$key]}" ]] || [[ "${tag//v/}" > "${latest_versions[$key]//v/}" ]]; then
latest_versions[$key]="$tag"
fi
done
latest_tags=$(IFS=,; echo "${latest_versions[*]}")
echo "::set-output name=latest_tags::$latest_tags"
scan:
needs: prepare
runs-on: ubuntu-latest
steps:
- name: Scan Docker Images with Trivy
run: |
LATEST_TAGS="${{ needs.prepare.outputs.latest_tags }}"
IFS=',' read -r -a tags <<< "$LATEST_TAGS"
for tag in "${tags[@]}"; do
IMAGE="ghcr.io/genomicdatainfrastructure/gdi-userportal-frontend:$tag"
echo "Scanning $IMAGE"
docker run --rm aquasec/trivy:latest image --severity CRITICAL,HIGH --exit-code 1 "$IMAGE"
done