Vulnerability Scan #313
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Vulnerability Scan | |
on: | |
schedule: | |
# Run every third day | |
- cron: 0 0 * * */3 | |
workflow_dispatch: | |
jobs: | |
scan: | |
name: Vulnerability scan | |
runs-on: ubuntu-latest | |
env: | |
DOCKERFILE: Dockerfile_with_poetry_lock | |
steps: | |
- name: Checkout git repository 🕝 | |
uses: actions/checkout@v2 | |
- name: Add poetry.lock 🔒 | |
# Trivy depends on the presence of `poetry.lock` to scan Python dependencies | |
run: | | |
BASE_IMAGE=rasa/rasa:latest-full | |
docker pull $BASE_IMAGE | |
# Create Dockerfile which includes poetry.lock | |
tee -a $DOCKERFILE << END | |
FROM $BASE_IMAGE | |
COPY poetry.lock . | |
END | |
IMAGE_NAME=rasa/rasa:latest-scanned | |
docker build -f $DOCKERFILE -t $IMAGE_NAME . | |
echo "IMAGE_WITH_POETRY_LOCK=$IMAGE_NAME" >> $GITHUB_ENV | |
- name: Scan image 🕵️♀️🕵️♂️ | |
uses: lazy-actions/gitrivy@6edf95fdc8b1fb841a974536316b209cd16f9000 # v3 | |
with: | |
# Needs the token so it can create an issue once a vulnerability was found | |
# do not use GITHUB_TOKEN here because it wouldn't trigger subsequent workflows | |
token: ${{ secrets.RASABOT_GITHUB_TOKEN }} | |
image: ${{ env.IMAGE_WITH_POETRY_LOCK }} | |
ignore_unfixed: true | |
issue_label: "tool:trivy,type:vulnerability" | |
severity: "LOW,MEDIUM,HIGH,CRITICAL" | |
fail_on_vulnerabilities: true | |
- name: Notify slack on failure | |
if: failure() | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
uses: voxmedia/github-action-slack-notify-build@212e9f7a9ca33368c8dd879d6053972128258985 | |
with: | |
channel_id: ${{ secrets.SLACK_ALERTS_CHANNEL_ID }} | |
status: FAILED | |
color: danger |