Skip to content

Trivy Periodic Image Scan #142

Trivy Periodic Image Scan

Trivy Periodic Image Scan #142

---
#
# This workflow scans the published container images
# for new vulnerabilities daily, publishing findings.
# Findings will be associated with the 'main' branch
# of the repo' in the GitHub Security tab.
#
name: Trivy Periodic Image Scan
on:
schedule:
# run daily
- cron: "0 0 * * *"
jobs:
to-lower-case:
runs-on: ubuntu-latest
name: to-lower-case
steps:
- name: Ensure repo' name is lower case
id: repo
uses: vishalmamidi/lowercase-action@v1
with:
string: ${{ github.repository }}
outputs:
lowercase-repo-name: ${{ steps.repo.outputs.lowercase }}
trivy-matrix:
name: trivy-${{ matrix.notebook_type }}
needs: to-lower-case
strategy:
matrix:
notebook_type:
- jupyter
- rstudio
uses: "./.github/workflows/trivy.yml"
with:
NOTEBOOK_TYPE: ${{ matrix.notebook_type }}
SOURCE_TYPE: image
# While GitHub repo's can be mixed (upper and lower) case,
# Docker images can only be lower case
IMAGE_NAME: ghcr.io/${{ needs.to-lower-case.outputs.lowercase-repo-name
}}-${{ matrix.notebook_type }}:main
# If scan failed, rebuild the image
update-image:
if: ${{!cancelled() && needs.trivy-matrix.outputs.trivy_conclusion == 'failure' }}
needs: trivy-matrix
runs-on: ubuntu-latest
# tag the repo to trigger a new build
steps:
- name: Bump version and push tag
id: tag_version
uses: mathieudutour/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
...