--- name: Scan Containers on: # yamllint disable-line rule:truthy pull_request: branches: - main paths: - "k8s/**.yaml" - "provision/ansible/**.yml.j2" jobs: detect-file-changes: name: Detect File Changes runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: dorny/paths-filter@v4 id: filter with: list-files: json filters: | yaml: - added|modified: "**.yaml" - added|modified: "**.yml" - added|modified: "**.yaml.j2" - added|modified: "**.yml.j2" outputs: yaml_files: ${{ steps.filter.outputs.yaml_files }} detect-containers: name: Detect Containers runs-on: ubuntu-latest needs: detect-file-changes strategy: matrix: file: ${{ fromJSON(needs.detect-file-changes.outputs.yaml_files) }} steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Jo run: | sudo apt-get install jo -y - name: Detect Containers in Files id: containers run: | containers=$(.github/scripts/container-parser.sh --file "${{ matrix.file }}") # Ensure proper JSON format for matrix echo "containers=$(echo "${containers}" | jq -c '{"containers": .}')" >> $GITHUB_OUTPUT outputs: containers: ${{ steps.detect-containers.outputs.containers }} scan-containers: name: Scan Containers runs-on: ubuntu-latest needs: detect-containers strategy: matrix: ${{ fromJSON(needs.detect-containers.outputs.containers) }} fail-fast: false steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Scan Container uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: image-ref: ${{ matrix.containers }} vuln-type: os,library severity: CRITICAL,HIGH format: template template: "@/contrib/sarif.tpl" output: trivy-results.sarif - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4 with: sarif_file: trivy-results.sarif