.github/workflows: Add workflow to scan latest tagged base image for …

…CVEs every night Signed-off-by: Timo Reichl <[email protected]>
thetredev · Dec 7, 2022 · d6219ca · d6219ca
1 parent ae1bca7
commit d6219ca
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml
@@ -0,0 +1,30 @@
+name: Check for CVEs on latest tagged image every night
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+
+env:
+  IMAGE_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}"
+  CRANE_IMAGE: "gcr.io/go-containerregistry/crane:v0.11.0"
+
+jobs:
+  cve-check:
+    runs-on: ubuntu-22.04
+    steps:
+      - id: latest_image
+        name: Get latest image
+        run: |
+          # Get latest tag for base image
+          latest_tag=$(docker run --rm ${CRANE_IMAGE} ls ${IMAGE_REPOSITORY} | grep base | tail -1)
+
+          # Set output to latest image
+          echo "url=${IMAGE_REPOSITORY}:${latest_tag}" >> $GITHUB_OUTPUT
+
+      - name: Scan for CVEs
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: "${{ steps.latest_image.outputs.url }}"
+          format: 'table'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW'