-
Notifications
You must be signed in to change notification settings - Fork 1.4k
40 lines (33 loc) · 1.31 KB
/
nightly-vulnerability-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
name: Nightly Vulnerability Scan
on:
schedule:
# Schedule to run every night at midnight
- cron: '0 0 * * *'
jobs:
vulnerability-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Set up Grype
run: |
# Install Grype
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
- name: Get latest commit SHA of Kaniko project
id: get-commit
run: |
LATEST_COMMIT_SHA=$(git rev-parse HEAD)
echo "Latest commit SHA: $LATEST_COMMIT_SHA"
echo "::set-output name=sha::$LATEST_COMMIT_SHA"
- name: Scan the latest CI/CD image
run: |
IMAGE_ID="gcr.io/kaniko-project/executor:${{ steps.get-commit.outputs.sha }}"
echo "Scanning image $IMAGE_ID"
grype $IMAGE_ID > grype-output.txt
- name: Check for vulnerabilities and create an issue
run: |
if grep -q 'No vulnerabilities found' grype-output.txt; then
echo "No vulnerabilities found."
else
gh issue create --title "Vulnerabilities Found in Nightly Scan" --body "Vulnerabilities found in the latest image scan. Please check the attached report." --file grype-output.txt
fi