WIP: run trivy security scans on release docker image/composer depend…

…encies
nodiscc · Sep 20, 2023 · 426336d · 426336d
1 parent b15a2b8
commit 426336d
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/.github/workflows/trivy-release.yml b/.github/workflows/trivy-release.yml
@@ -0,0 +1,24 @@
+name: trivy security scans (release)
+on:
+  schedule:
+    #- cron: '0 17 * * 1'
+    - cron: '10 * * * 1'
+  workflow_dispatch:
+
+jobs:
+  trivy-repo:
+    runs-on: ubuntu-latest
+    name: trivy scan (release composer dependencies)
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Run trivy scanner on repository
+        run: make test_trivy_repo
+  trivy-docker:
+    runs-on: ubuntu-latest
+    name: trivy scan (release docker image)
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Run trivy scanner on release docker image
+        run: make test_trivy_docker TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:release
diff --git a/Makefile b/Makefile
@@ -209,7 +209,6 @@ download_trivy:
 test_trivy_docker: download_trivy
 	./trivy --exit-code $(TRIVY_EXIT_CODE) image $(TRIVY_TARGET_DOCKER_IMAGE)
 
-### run trivy vulnerability scanner on composer/yarn dependency trees
+### run trivy vulnerability scanner on composer dependency tree
 test_trivy_repo: download_trivy
 	./trivy --exit-code $(TRIVY_EXIT_CODE) fs composer.lock
-	./trivy --exit-code $(TRIVY_EXIT_CODE) fs yarn.lock