diff --git a/.github/workflows/general.security-scan.yaml b/.github/workflows/general.security-scan.yaml deleted file mode 100644 index f634d96b872..00000000000 --- a/.github/workflows/general.security-scan.yaml +++ /dev/null @@ -1,61 +0,0 @@ -name: "General: Security Scan" - -on: - workflow_dispatch: - push: - branches: - - master - paths: - - ".github/workflows/general.security-scan.yaml" - schedule: - - cron: "0 0 * * 0" - -jobs: - directories: # Job that list subdirectories - runs-on: ubuntu-latest - outputs: - dir: ${{ steps.set-dirs.outputs.dir }} # generate output name dir by using inner step output - steps: - - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3 - with: - token: ${{ secrets.BOT_TOKEN }} - - id: set-dirs # Give it an id to handle to get step outputs in the outputs key above - run: echo "::set-output name=dir::$({ ls -d containers/apps/*/ & ls -d containers/base/*/; } | tr '\n' '\0' | xargs -0 -n 1 basename | jq -R -s -c 'split("\n")[:-1]')" - # Define step output named dir base on ls command transformed to JSON thanks to jq - - scan_files: - name: Scan Files - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3 - - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@master - with: - scan-type: "fs" - ignore-unfixed: true - format: "template" - template: "@/contrib/sarif.tpl" - output: "trivy-repo-results.sarif" - severity: "CRITICAL" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2 - with: - sarif_file: "trivy-repo-results.sarif" - - scan_containers: - name: Scan Containers - runs-on: ubuntu-20.04 - needs: [directories] # Depends on previous job - strategy: - matrix: - dir: ${{fromJson(needs.directories.outputs.dir)}} # List matrix strategy from directories dynamically - fail-fast: false - steps: - - name: Container Security scan - uses: Azure/container-scan@f9af925b897d8af5f7e0026b8bca9346261abc93 # tag=v0 - with: - image-name: ghcr.io/${{ github.repository_owner }}/${{matrix.dir}}:latest - severity-threshold: HIGH