|
name: Nightly Security Scan |
|
on: |
|
schedule: |
|
- cron: '0 0 * * *' # 12am UTC daily runtime |
|
workflow_dispatch: |
|
|
|
jobs: |
|
scan-image: |
|
name: Scan Docker Image |
|
runs-on: ubuntu-latest |
|
steps: |
|
- name: Check out code |
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
|
with: |
|
submodules: recursive |
|
- name: Build the Docker image |
|
run: DOCKER_BUILDKIT=1 docker build . --target production -t appwrite_image:latest |
|
- name: Run Trivy vulnerability scanner on image |
|
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 |
|
with: |
|
image-ref: 'appwrite_image:latest' |
|
format: 'sarif' |
|
output: 'trivy-image-results.sarif' |
|
ignore-unfixed: 'false' |
|
severity: 'CRITICAL,HIGH' |
|
- name: Upload Docker Image Scan Results |
|
uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 |
|
if: always() && hashFiles('trivy-image-results.sarif') != '' |
|
with: |
|
sarif_file: 'trivy-image-results.sarif' |
|
category: 'trivy-image' |
|
|
|
scan-code: |
|
name: Scan Code |
|
runs-on: ubuntu-latest |
|
steps: |
|
- name: Check out code |
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
|
- name: Run Trivy vulnerability scanner on filesystem |
|
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 |
|
with: |
|
scan-type: 'fs' |
|
format: 'sarif' |
|
output: 'trivy-fs-results.sarif' |
|
severity: 'CRITICAL,HIGH' |
|
- name: Upload Code Scan Results |
|
uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 |
|
if: always() && hashFiles('trivy-fs-results.sarif') != '' |
|
with: |
|
sarif_file: 'trivy-fs-results.sarif' |
|
category: 'trivy-source' |