Add CVE scan pipeline as scheduled nightly

The new 'CVE scan' pipeline scans the latest published image for high & critical vulnerabilities. closes #224
asciidoctor · Feb 5, 2022 · 0c05809 · 0c05809
1 parent 98ebbdb
commit 0c05809
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/.github/containerscan/allowedlist.yaml b/.github/containerscan/allowedlist.yaml
@@ -0,0 +1,2 @@
+general:
+  vulnerabilities: [] # List of excluded CVEs (e.g: CVE-2021-3711)
diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml
@@ -0,0 +1,22 @@
+name: "CVE Scan"
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch: { }
+jobs:
+  scan-images:
+    name: Scan latest public image
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: [ docker-asciidoctor ]
+        tag: [ latest ]
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/asciidoctor/${{ matrix.image }}:${{ matrix.tag }}'
+          severity: 'CRITICAL,HIGH'
+          format: 'table'
+          # we can set to 0 to avoid breaking the pipeline
+          exit-code: '1'
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		general:
		vulnerabilities: [] # List of excluded CVEs (e.g: CVE-2021-3711)