f #31

Workflow file for this run

.github/workflows/image-scan.yaml at 0c8a3bb

	name: Image Scan
	on:
	schedule:
	# everyday at midnight.
	- cron: '0 0 * * *'
	workflow_dispatch: {}
	push:
	branches:
	- emosbaugh/sc-108755/scan-images

	jobs:
	output-matrix:
	runs-on: ubuntu-latest
	outputs:
	matrix: ${{ steps.build-matrix.outputs.matrix }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Build
	run: \|
	make embedded-cluster-linux-amd64

	- name: List images
	run: \|
	./output/bin/embedded-cluster version list-images > images.txt

	- name: Upload images artifact
	uses: actions/upload-artifact@v4
	with:
	name: images
	path: images.txt

	- name: Build images matrix
	id: build-matrix
	run: \|
	IMAGES="[$(awk '{print $1}' images.txt \| xargs -n1 \| awk '{print "\""$1"\","}' \| sed '$ s/.$//')]"
	echo "matrix=$(jq -cn --argjson images "$IMAGES" '{image: $images}')" >> $GITHUB_OUTPUT

	scan:
	runs-on: ubuntu-latest
	needs: [output-matrix]
	strategy:
	fail-fast: false
	matrix: ${{fromJson(needs.output-matrix.outputs.matrix)}}
	steps:
	- name: Scan image
	uses: aquasecurity/trivy-action@0.24.0
	with:
	image-ref: '${{ matrix.image }}'
	ignore-unfixed: true
	severity: CRITICAL,HIGH,MEDIUM
	exit-code: 1

	- name: Output sarif
	uses: aquasecurity/trivy-action@0.24.0
	if: ${{ !cancelled() && github.ref == 'refs/heads/main' }}
	with:
	image-ref: '${{ matrix.image }}'
	format: sarif
	output: trivy-results.sarif
	ignore-unfixed: true
	severity: CRITICAL,HIGH,MEDIUM

	- name: Upload sarif
	if: ${{ !cancelled() && github.ref == 'refs/heads/main' }}
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: trivy-results.sarif

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

f #31

Workflow file

f #31

Jobs

Run details

Workflow file for this run