mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-29 05:35:43 +01:00
add new workflow for nightly image scan (#17818)
add trivy nightly scan for harbor images - upload results to github security tab - scan all dev images Signed-off-by: Akhil Mohan <akhilerm@gmail.com>
This commit is contained in:
parent
f97aedfb5c
commit
bcbfad632a
38
.github/workflows/nightly-trivy-scan.yml
vendored
Normal file
38
.github/workflows/nightly-trivy-scan.yml
vendored
Normal file
@ -0,0 +1,38 @@
|
||||
name: Trivy Nightly Scan
|
||||
on:
|
||||
schedule:
|
||||
- cron: '0 2 * * *' # run at 2 AM UTC
|
||||
|
||||
|
||||
jobs:
|
||||
nightly-scan:
|
||||
name: Trivy Scan nightly
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
# maintain the versions of harbor that need to be actively
|
||||
# security scanned
|
||||
# TODO have to add 2.7 version also once it is released
|
||||
versions: [dev]
|
||||
# list of images that need to be scanned
|
||||
images: [harbor-core, harbor-db, harbor-exporter, harbor-jobservice, harbor-log, harbor-portal, harbor-registryctl, prepare]
|
||||
permissions:
|
||||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||||
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'docker.io/goharbor/${{ matrix.images }}:${{ matrix.versions }}'
|
||||
severity: 'CRITICAL,HIGH'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
Loading…
Reference in New Issue
Block a user