Skip to content

bluevuln

bluevuln #635

Workflow file for this run

name: bluevuln
on:
schedule:
- cron:
"55 0,6,12,18 * * *" # build at {0,6,12,18}:55 UTC every day
# (50 minutes after custom image build was triggered, then every 6h)
push:
paths-ignore:
- "**.md"
- "build-isos"
- "**/build.yml"
concurrency:
group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
cancel-in-progress: true
env:
REPO_OWNER: ${{ github.repository_owner }}
jobs:
scan:
name: Scan Custom Image
runs-on: ubuntu-24.04
permissions:
security-events: write
contents: read
packages: read
strategy:
fail-fast: true
matrix:
package:
- aubertit
- buttgenbachit
#- carbonatcyanotrichit
- flaviramea
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Force repository owner to lowercase
run: echo "IMAGE_REF=ghcr.io/${REPO_OWNER@L}/${{ matrix.package }}" >> ${GITHUB_ENV}
- name: Wait up to 10m to compensate for rate limiting
run: sleep $((RANDOM % 600))
- name: Generate SARIF for Custom Image with Trivy
uses: aquasecurity/[email protected]
with:
output: trivy-results.sarif
github-pat: ${{ secrets.GITHUB_TOKEN }}
image-ref: "${{ env.IMAGE_REF }}"
severity: MEDIUM,HIGH,CRITICAL
scan-type: image
scanners: vuln
format: sarif
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ github.token }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
category: trivy-${{ matrix.package }}
sarif_file: trivy-results.sarif