From 0c05809ce6798455b15dc286cc3925fcec7335bc Mon Sep 17 00:00:00 2001
From: Abel Salgado Romero <abelromero@gmail.com>
Date: Wed, 6 Oct 2021 22:38:02 +0200
Subject: [PATCH] Add CVE scan pipeline as scheduled nightly

The new 'CVE scan' pipeline scans the latest published
image for high & critical vulnerabilities.

closes #224
---
 .github/containerscan/allowedlist.yaml |  2 ++
 .github/workflows/cve-scan.yml         | 22 ++++++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 .github/containerscan/allowedlist.yaml
 create mode 100644 .github/workflows/cve-scan.yml

diff --git a/.github/containerscan/allowedlist.yaml b/.github/containerscan/allowedlist.yaml
new file mode 100644
index 00000000..f34d7367
--- /dev/null
+++ b/.github/containerscan/allowedlist.yaml
@@ -0,0 +1,2 @@
+general:
+  vulnerabilities: [] # List of excluded CVEs (e.g: CVE-2021-3711)
diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml
new file mode 100644
index 00000000..29899ebc
--- /dev/null
+++ b/.github/workflows/cve-scan.yml
@@ -0,0 +1,22 @@
+name: "CVE Scan"
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch: { }
+jobs:
+  scan-images:
+    name: Scan latest public image
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: [ docker-asciidoctor ]
+        tag: [ latest ]
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/asciidoctor/${{ matrix.image }}:${{ matrix.tag }}'
+          severity: 'CRITICAL,HIGH'
+          format: 'table'
+          # we can set to 0 to avoid breaking the pipeline
+          exit-code: '1'