.github/workflows/scan-containers.yaml at main

kryptonian.dev / k8s-cluster

fork

this repo has no description

fork

k8s-cluster / .github / workflows / scan-containers.yaml

at main 73 lines 2.4 kB view raw

wrap content

samip5-bot[bot] ci(github-action)!: Update dorny/paths-filter action ( v3 → v4 ) (#2422) 1d ago

e019148b

 1---
 2name: Scan Containers
 3
 4on: # yamllint disable-line rule:truthy
 5  pull_request:
 6    branches:
 7      - main
 8    paths:
 9      - "k8s/**.yaml"
10      - "provision/ansible/**.yml.j2"
11
12jobs:
13  detect-file-changes:
14    name: Detect File Changes
15    runs-on: ubuntu-latest
16    steps:
17      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
18      - uses: dorny/paths-filter@v4
19        id: filter
20        with:
21          list-files: json
22          filters: |
23            yaml:
24              - added|modified: "**.yaml"
25              - added|modified: "**.yml"
26              - added|modified: "**.yaml.j2"
27              - added|modified: "**.yml.j2"
28    outputs:
29      yaml_files: ${{ steps.filter.outputs.yaml_files }}
30  detect-containers:
31    name: Detect Containers
32    runs-on: ubuntu-latest
33    needs: detect-file-changes
34    strategy:
35      matrix:
36        file: ${{ fromJSON(needs.detect-file-changes.outputs.yaml_files) }}
37    steps:
38      - name: Checkout
39        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
40      - name: Install Jo
41        run: |
42          sudo apt-get install jo -y
43      - name: Detect Containers in Files
44        id: containers
45        run: |
46          containers=$(.github/scripts/container-parser.sh --file "${{ matrix.file }}")
47          # Ensure proper JSON format for matrix
48          echo "containers=$(echo "${containers}" | jq -c '{"containers": .}')" >> $GITHUB_OUTPUT
49    outputs:
50      containers: ${{ steps.detect-containers.outputs.containers }}
51  scan-containers:
52    name: Scan Containers
53    runs-on: ubuntu-latest
54    needs: detect-containers
55    strategy:
56      matrix: ${{ fromJSON(needs.detect-containers.outputs.containers) }}
57      fail-fast: false
58    steps:
59      - name: Checkout
60        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
61      - name: Scan Container
62        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
63        with:
64          image-ref: ${{ matrix.containers }}
65          vuln-type: os,library
66          severity: CRITICAL,HIGH
67          format: template
68          template: "@/contrib/sarif.tpl"
69          output: trivy-results.sarif
70      - name: Upload Trivy scan results to GitHub Security tab
71        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
72        with:
73          sarif_file: trivy-results.sarif

Configure Feed

Configure Feed