Merge pull request #6876 from btme0011/feature-5232-Trivy-Security-Scan

feature-5232-Trivy-Security-Scans
2024-09-18 02:18:19 +12:00 · 2024-08-20 23:26:28 -07:00 · 2024-08-20 23:26:28 -07:00 · 9301bddd8b
commit 9301bddd8b
parent 90bc303c7c 4726c5cec3
1 changed files with 47 additions and 0 deletions
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@ -0,0 +1,47 @@
+name: Nightly Security Scan
+on:
+  schedule:
+    - cron: '0 0 * * *'  # 12am UTC daily runtime
+  workflow_dispatch:
+
+jobs:
+  scan-image:
+    name: Scan Docker Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Build the Docker image
+        run: docker build . -t appwrite_image:latest
+      - name: Run Trivy vulnerability scanner on image
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          image-ref: 'appwrite_image:latest'
+          format: 'sarif'
+          output: 'trivy-image-results.sarif'
+          ignore-unfixed: 'false'
+          severity: 'CRITICAL,HIGH'
+      - name: Upload Docker Image Scan Results
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-image-results.sarif'
+
+  scan-code:
+    name: Scan Code
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Run Trivy vulnerability scanner on filesystem
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          scan-type: 'fs'
+          format: 'sarif'
+          output: 'trivy-fs-results.sarif'
+          severity: 'CRITICAL,HIGH'
+      - name: Upload Code Scan Results
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-fs-results.sarif'