Skip to content

report-on-vulnerabilities #51

report-on-vulnerabilities

report-on-vulnerabilities #51

name: report-on-vulnerabilities
permissions: {}
on:
workflow_dispatch: {}
schedule:
- cron: '0 6 * * *'
jobs:
scan:
runs-on: ubuntu-latest
outputs:
results: ${{ steps.parse-results.outputs.results }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Scan for vulnerabilities
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
image-ref: ghcr.io/doodlescheduling/oauth2-redirect-controller:latest
format: json
scanners: vuln,secret
ignore-unfixed: false
severity: HIGH,CRITICAL
output: scan.json
- name: Parse scan results
id: parse-results
continue-on-error: true
run: |
VULNS=$(cat scan.json | jq '[.Results[].Vulnerabilities | select(. != null) | .[]] | length')
if [[ $VULNS -eq 0 ]]
then
echo "No vulnerabilities found, halting"
echo "results=nothing" >> $GITHUB_OUTPUT
else
echo "Vulnerabilities found, creating issue"
echo "results=found" >> $GITHUB_OUTPUT
fi
- name: Upload vulnerability scan report
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: steps.parse-results.outputs.results == 'found'
with:
name: scan.json
path: scan.json
if-no-files-found: error
open-issue:
runs-on: ubuntu-latest
if: needs.scan.outputs.results == 'found'
needs: scan
permissions:
issues: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Download scan
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: scan.json
- name: Set scan output
id: set-scan-output
run: echo "results=$(cat scan.json)" >> $GITHUB_OUTPUT
- uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RESULTS: ${{ steps.set-scan-output.outputs.results }}
with:
filename: .github/ISSUE_TEMPLATE/VULN-TEMPLATE.md