Security analysis workflow

2020-03-25 18:21:36 -04:00
parent 17ccf98c75
commit e6bbaa2ba6
1 changed files with 30 additions and 0 deletions
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -0,0 +1,30 @@
+name: Security scan of Docker image
+on:
+  push:
+  schedule:
+    - cron: '0 9 * * *'
+jobs:
+  security-analysis:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Check for scratch
+        id: scratchCheck
+        run: echo ::set-output name=scratch::$(cat Dockerfile | grep 'FROM scratch')
+      - name: Build image
+        if: steps.scratchCheck.outputs.scratch == ''
+        run: docker build -t image .
+      - name: Phonito
+        if: steps.scratchCheck.outputs.scratch == ''
+        uses: phonito/phonito-scanner-action@master
+        with:
+          image: image
+          fail-level: LOW
+          phonito-token: ${{ secrets.PHONITO_TOKEN }}
+      - name: Trivy
+        if: steps.scratchCheck.outputs.scratch == ''
+        uses: homoluctus/gitrivy@v1.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          image: image