ci: enable scheduled trivy scanner and report vulnerabilities as GH i…

…ssues This workflow enables a scheduled scanner (that can also be run from a workflow dispatch) to scan images using the trivy scanner. At the same time, enables the automatic creation/edition of Github issues when a vulnerability is found. Fixes #55
canonical · Oct 15, 2024 · c9d4dc1 · c9d4dc1
1 parent 677497a
commit c9d4dc1
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/.github/workflows/scan_images.yaml b/.github/workflows/scan_images.yaml
@@ -0,0 +1,21 @@
+name: Scan images
+
+on:  
+  schedule:
+    - cron: '00 23 * * *'
+  workflow_dispatch:
+
+jobs:
+
+  on-push:
+    name: Get rocks modified and build-scan-test-publish them
+    uses: canonical/charmed-kubeflow-workflows/.github/workflows/get-published-images-scan-and-report.yaml@main
+    strategy:
+      matrix:
+        branch: [main, track/0.15, track/0.16]
+    secrets:
+      GH_TOKEN: ${{ secrets.GH_TOKEN }}
+    with:
+      report-vulnerabilities: true
+      severity: "HIGH,CRITICAL"
+      branch: ${{ matrix.branch }}