70 lines
2.3 KiB
YAML
70 lines
2.3 KiB
YAML
name: cve
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: "30 15 */2 * *"
|
|
|
|
jobs:
|
|
cve:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: init / checkout
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
|
|
with:
|
|
ref: ${{ github.ref_name }}
|
|
fetch-depth: 0
|
|
|
|
- name: init / setup environment
|
|
uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
|
|
with:
|
|
script: |
|
|
const { existsSync, readFileSync } = require('node:fs');
|
|
const { resolve } = require('node:path');
|
|
const { inspect } = require('node:util');
|
|
const { Buffer } = require('node:buffer');
|
|
const inputs = `${{ toJSON(github.event.inputs) }}`;
|
|
const opt = {input:{}, dot:{}};
|
|
|
|
try{
|
|
if(inputs.length > 0){
|
|
opt.input = JSON.parse(inputs);
|
|
if(opt.input?.etc){
|
|
opt.input.etc = JSON.parse(Buffer.from(opt.input.etc, 'base64').toString('ascii'));
|
|
}
|
|
}
|
|
}catch(e){
|
|
core.warning('could not parse github.event.inputs');
|
|
}
|
|
|
|
try{
|
|
const path = resolve('.json');
|
|
if(existsSync(path)){
|
|
try{
|
|
opt.dot = JSON.parse(readFileSync(path).toString());
|
|
}catch(e){
|
|
throw new Error('could not parse .json');
|
|
}
|
|
}else{
|
|
throw new Error('.json does not exist');
|
|
}
|
|
}catch(e){
|
|
core.setFailed(e);
|
|
}
|
|
|
|
core.info(inspect(opt, {showHidden:false, depth:null, colors:true}));
|
|
|
|
core.exportVariable('WORKFLOW_IMAGE', `${opt.dot.image}:${(opt.dot?.semver?.version === undefined) ? 'rolling' : opt.dot.semver.version}`);
|
|
core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.dot?.grype?.severity || 'high'));
|
|
|
|
|
|
- name: grype / scan
|
|
id: grype
|
|
uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
|
|
with:
|
|
image: ${{ env.WORKFLOW_IMAGE }}
|
|
fail-build: true
|
|
severity-cutoff: ${{ env.WORKFLOW_GRYPE_SEVERITY_CUTOFF }}
|
|
output-format: 'sarif'
|
|
by-cve: true
|
|
cache-db: true |