name: cve on: workflow_dispatch: schedule: - cron: "30 15 */2 * *" jobs: cve: runs-on: ubuntu-latest steps: - name: init / checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: ref: ${{ github.ref_name }} fetch-depth: 0 - name: init / setup environment uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298 with: script: | const { existsSync, readFileSync } = require('node:fs'); const { resolve } = require('node:path'); const { inspect } = require('node:util'); const { Buffer } = require('node:buffer'); const inputs = `${{ toJSON(github.event.inputs) }}`; const opt = {input:{}, dot:{}}; try{ if(inputs.length > 0){ opt.input = JSON.parse(inputs); if(opt.input?.etc){ opt.input.etc = JSON.parse(Buffer.from(opt.input.etc, 'base64').toString('ascii')); } } }catch(e){ core.warning('could not parse github.event.inputs'); } try{ const path = resolve('.json'); if(existsSync(path)){ try{ opt.dot = JSON.parse(readFileSync(path).toString()); }catch(e){ throw new Error('could not parse .json'); } }else{ throw new Error('.json does not exist'); } }catch(e){ core.setFailed(e); } core.info(inspect(opt, {showHidden:false, depth:null, colors:true})); core.exportVariable('WORKFLOW_IMAGE', `${opt.dot.image}:${(opt.dot?.semver?.version === undefined) ? 'rolling' : opt.dot.semver.version}`); core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.dot?.grype?.severity || 'high')); - name: grype / scan id: grype uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e with: image: ${{ env.WORKFLOW_IMAGE }} fail-build: true severity-cutoff: ${{ env.WORKFLOW_GRYPE_SEVERITY_CUTOFF }} output-format: 'sarif' by-cve: true cache-db: true