Merge pull request #83 from paullockaby/weekly-security-scan

feat: enable weekly security scan
paullockaby · Dec 8, 2024 · 4b63905 · 4b63905
2 parents 6761241 + aecabaa
commit 4b63905
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 23 deletions.
diff --git a/.github/workflows/merge.yaml → .github/workflows/merge.yaml.example b/.github/workflows/merge.yaml → .github/workflows/merge.yaml.example
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
@@ -8,6 +8,7 @@ jobs:
   # checks to pass" and then, under "Status checks that are required" click "Add checks" and just type in these:
   #    - "tests / pre-commit"
   #    - "tests / test"
+  #    - "security / security"
   #
   # NOTE: if you had the jobs directly in this file you could just refer to them by the yaml identifier for the job.
   # for example, this job is called "tests" so you'd put "tests" as a required "status check". and if you were to take
@@ -16,3 +17,7 @@ jobs:
   tests:
     uses: ./.github/workflows/tests.yaml
     secrets: inherit
+
+  security:
+    uses: ./.github/workflows/security.yaml
+    secrets: inherit
diff --git a/.github/workflows/release-create.yaml b/.github/workflows/release-create.yaml
@@ -30,6 +30,10 @@ jobs:
     uses: ./.github/workflows/tests.yaml
     secrets: inherit
 
+  security:
+    uses: ./.github/workflows/security.yaml
+    secrets: inherit
+
   bump_version:
     runs-on: ubuntu-latest
 

diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -0,0 +1,30 @@
+name: Security Scanning
+
+on:
+  workflow_call:
+  schedule:
+    - cron: "0 2 * * 1"
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup trivy
+        uses: aquasecurity/[email protected]
+        with:
+          cache: true
+          version: latest
+
+      - name: Run trivy configuration checks
+        run: |
+          trivy config . --config=.trivy.yaml --ignorefile=.trivyignore
+
+      - name: Run trivy filesystem checks
+        run: |
+          trivy filesystem . --config=.trivy.yaml --ignorefile=.trivyignore --no-progress
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -25,29 +25,6 @@ jobs:
         env:
           SKIP: no-commit-to-branch
 
-  security:
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup trivy
-        uses: aquasecurity/[email protected]
-        with:
-          cache: true
-          version: latest
-
-      - name: Run trivy configuration checks
-        run: |
-          trivy config . --config=.trivy.yaml --ignorefile=.trivyignore
-
-      - name: Run trivy filesystem checks
-        run: |
-          trivy filesystem . --config=.trivy.yaml --ignorefile=.trivyignore --no-progress
-
   test:
     runs-on: ubuntu-latest