Container Security Scans #62
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Container Security Scans | |
| # This workflow orchestrates security scanning of container images using Anchore scanner. | |
| # It runs nightly and can be triggered manually to scan various container images for vulnerabilities. | |
| name: Container Security Scans | |
| # Trigger configuration | |
| on: | |
| schedule: | |
| - cron: '0 0 * * *' # Runs nightly at midnight (UTC) | |
| workflow_dispatch: # Allows manual triggering through GitHub UI | |
| # Security hardening: Start with no permissions and grant only what's needed | |
| permissions: {} # Remove all permissions by default | |
| # Prevent multiple workflow runs from interfering with each other | |
| # This ensures only one scan runs at a time and new triggers cancel old runs | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # Get the latest release tag first | |
| get-latest-tag: | |
| name: Get Latest Release Tag | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # Needed to read releases | |
| outputs: | |
| tag_name: ${{ steps.get_release.outputs.tag_name }} | |
| steps: | |
| - name: Get latest release | |
| id: get_release | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const release = await github.rest.repos.getLatestRelease({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo | |
| }); | |
| core.setOutput('tag_name', release.data.tag_name); | |
| # Scan operator image using latest release tag | |
| scan-operator: | |
| name: Scan Operator Image | |
| needs: get-latest-tag # Wait for tag to be fetched | |
| uses: ./.github/workflows/scan-container-image.yml | |
| # Grant required permissions to the reusable workflow | |
| permissions: | |
| contents: read # Needed to read workflow files | |
| security-events: write # Needed to upload SARIF results | |
| with: | |
| # Use the latest release tag from the previous job | |
| image: replicated/embedded-cluster-operator-image:${{ needs.get-latest-tag.outputs.tag_name }} | |
| # Report findings of medium severity or higher | |
| severity-cutoff: medium | |
| # Continue even if vulnerabilities are found | |
| fail-build: false | |
| # Specify platform to scan | |
| platform: linux/amd64 | |
| # Scan local artifact mirror image using latest release tag | |
| scan-registry: | |
| name: Scan Local Artifact Mirror Image | |
| needs: get-latest-tag # Wait for tag to be fetched | |
| uses: ./.github/workflows/scan-container-image.yml | |
| # Grant required permissions to the reusable workflow | |
| permissions: | |
| contents: read # Needed to read workflow files | |
| security-events: write # Needed to upload SARIF results | |
| with: | |
| # Use the latest release tag from the previous job | |
| image: replicated/embedded-cluster-local-artifact-mirror:${{ needs.get-latest-tag.outputs.tag_name }} | |
| # Report findings of medium severity or higher | |
| severity-cutoff: medium | |
| # Continue even if vulnerabilities are found | |
| fail-build: false | |
| # Specify platform to scan | |
| platform: linux/amd64 |