Periodic Scan Containers for Security Issues #782
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Periodic Scan Containers for Security Issues | |
on: | |
schedule: | |
- cron: '30 1 * * *' | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
jobs: | |
generate-tests: | |
name: Generate Jobs | |
runs-on: ubuntu-latest | |
outputs: | |
strategy: ${{ steps.get-products.outputs.strategy }} | |
steps: | |
- name: Checkout percona/percona-docker repository | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Generate Jobs | |
id: get-products | |
run: | | |
set -o xtrace | |
strategy='{"fail-fast":false,"matrix":{"include":[]}}' | |
for folder in `ls -d */`; do | |
product_name=$(echo ${folder}| cut -d '/' -f 1) | |
if [ -d "${product_name}" ] && [ -f "${product_name}/Dockerfile" ]; then | |
docker_tag="percona/${product_name}:cron" | |
docker_build="docker build --no-cache -t ${docker_tag} ${product_name}" | |
strategy=$(echo ${strategy} | \ | |
jq -c \ | |
--arg product_name "${product_name}" \ | |
--arg docker_build "${docker_build}" \ | |
--arg docker_tag "${docker_tag}" \ | |
'.matrix.include += [ | |
.include | |
| .name=$product_name | |
| .runs.build=$docker_build | |
| .runs.test=$docker_tag | |
]' | |
) | |
fi | |
done | |
jq . <<<"$strategy" # sanity check / debugging aid | |
echo "::set-output name=strategy::$strategy" | |
test: | |
needs: generate-tests | |
runs-on: ubuntu-latest | |
strategy: ${{ fromJSON(needs.generate-tests.outputs.strategy) }} | |
name: ${{ matrix.name }} | |
steps: | |
- name: Checkout percona/percona-docker repository | |
uses: actions/checkout@v3 | |
- run: ${{ matrix.runs.build }} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: ${{ matrix.runs.test }} | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL,HIGH' |