Breaks out trivy-scheduled-scans

tony-landreth · tony-landreth · commit 9422c8de4b30 · 2023-03-22T14:18:23.000-04:00
Runs scheduled Trivy scans on the main and REL_4_7 branches.

Issue: [sc-17407]
diff --git a/.github/workflows/trivy-pr-scan.yaml b/.github/workflows/trivy-pr-scan.yaml
@@ -9,9 +9,6 @@ on:
   push:
     branches:
       - master
-  # Scan schedule is same as codeql-analysis job.
-  schedule:
-    - cron: '10 18 * * 2'
 
 jobs:
   scan:
diff --git a/.github/workflows/trivy-scheduled-scan.yaml b/.github/workflows/trivy-scheduled-scan.yaml
@@ -0,0 +1,74 @@
+name: Trivy Scheduled Scans
+
+on:
+  # Scan schedule is the same as codeql-analysis job.
+  schedule:
+    - cron: '0 14 * * 1'
+
+jobs:
+  scan_MAIN:
+    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
+
+    permissions:
+      # for github/codeql-action/upload-sarif to upload SARIF results
+      security-events: write 
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      # Run trivy and log detected and fixed vulnerabilities
+      # This report should match the uploaded code scan report below
+      # and is a convenience/redundant effort for those who prefer to
+      # read logs and/or if anything goes wrong with the upload.
+      - name: Log all detected vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          hide-progress: true
+          ignore-unfixed: true
+      
+      # Upload actionable results to the GitHub Security tab.
+      # Pull request checks fail according to repository settings.
+      # - https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
+      # - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning
+      - name: Report actionable vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  scan_REL_4_7:
+    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: 'REL_4_7'
+
+      - name: Log actionable vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          skip-dirs: testing
+          hide-progress: true
+          ignore-unfixed: true
+          output: 'trivy-results'
+
+      - name: Alert Slack
+        run: |
+          report=`cat trivy-results`
+          report="${report:-Nothing to Report}"
+          curl -X POST -H 'Content-type: application/json' \
+            --data '{"text": "postgres-operator REL_4_7 CVE Alert ```'"$report"'```"}'\
+            ${{ secrets.SLACK_WEBHOOK }}
