daily vulnerability scan #57

	name: daily vulnerability scan

	on:
	schedule:
	- cron: '0 0 * * *'

	env:
	IMAGE_NAME: zozo-gatling-operator
	TRIVY_RESULTS_MARKDOWN: trivy-results.md

	permissions:
	contents: read
	issues: write

	jobs:
	build-scan-and-save-results:
	name: Build, scan, and save results
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v4
	with:
	go-version-file: ./go.mod
	cache: true

	- name: Go modules sync
	run: go mod tidy

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Build an image from Dockerfile
	run: \|
	make docker-build IMG="${{ env.IMAGE_NAME }}:${{ github.sha }}"

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: image
	image-ref: "${{ env.IMAGE_NAME }}:${{ github.sha }}"
	exit-code: 1
	ignore-unfixed: true
	vuln-type: os,library
	severity: HIGH,CRITICAL
	timeout: 10m0s
	scanners: vuln,secret,config
	format: template
	template: "@.github/ISSUE_TEMPLATE/trivy-results.tpl"
	output: ${{ env.TRIVY_RESULTS_MARKDOWN }}

	- name: Insert YAML front matter into the results markdown
	if: always()
	run: \|
	sed -i '1i\
	---\
	title: "[DO NOT CHANGE] Security Alert"\
	labels: "trivy, vulnerability"\
	---\
	' "${{ env.TRIVY_RESULTS_MARKDOWN }}"

	- name: Create or update the trivy results issue
	uses: JasonEtco/create-an-issue@v2
	if: always()
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	filename: ${{ env.TRIVY_RESULTS_MARKDOWN }}
	update_existing: true
	search_existing: open

Provide feedback