Nightly Vulnerability Scan #75
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Nightly Vulnerability Scan | |
| on: | |
| schedule: | |
| # Schedule to run every night at midnight | |
| - cron: '0 0 * * *' | |
| jobs: | |
| vulnerability-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v2 | |
| - name: Set up Grype | |
| run: | | |
| # Install Grype | |
| curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin | |
| - name: Get latest commit SHA of Kaniko project | |
| id: get-commit | |
| run: | | |
| LATEST_COMMIT_SHA=$(git rev-parse HEAD) | |
| echo "Latest commit SHA: $LATEST_COMMIT_SHA" | |
| echo "::set-output name=sha::$LATEST_COMMIT_SHA" | |
| - name: Scan the latest CI/CD image | |
| run: | | |
| IMAGE_ID="gcr.io/kaniko-project/executor:${{ steps.get-commit.outputs.sha }}" | |
| echo "Scanning image $IMAGE_ID" | |
| grype $IMAGE_ID > grype-output.txt | |
| - name: Check for vulnerabilities and create an issue | |
| run: | | |
| if grep -q 'No vulnerabilities found' grype-output.txt; then | |
| echo "No vulnerabilities found." | |
| else | |
| gh issue create --title "Vulnerabilities Found in Nightly Scan" --body "Vulnerabilities found in the latest image scan. Please check the attached report." --file grype-output.txt | |
| fi |