add new workflow for nightly image scan (goharbor#17818)

add trivy nightly scan for harbor images - upload results to github security tab - scan all dev images Signed-off-by: Akhil Mohan <[email protected]>
stonezdj · Nov 25, 2022 · bcbfad6 · bcbfad6
1 parent f97aedf
commit bcbfad6
Showing 1 changed file with 38 additions and 0 deletions.
diff --git a/.github/workflows/nightly-trivy-scan.yml b/.github/workflows/nightly-trivy-scan.yml
@@ -0,0 +1,38 @@
+name: Trivy Nightly Scan
+on:
+  schedule:
+    - cron: '0 2 * * *' # run at 2 AM UTC
+
+
+jobs:
+  nightly-scan:
+    name: Trivy Scan nightly
+    strategy:
+      fail-fast: false
+      matrix:
+        # maintain the versions of harbor that need to be actively
+        # security scanned
+        # TODO have to add 2.7 version also once it is released
+        versions: [dev]
+        # list of images that need to be scanned
+        images: [harbor-core, harbor-db, harbor-exporter, harbor-jobservice, harbor-log, harbor-portal, harbor-registryctl, prepare]
+    permissions:
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/goharbor/${{ matrix.images }}:${{ matrix.versions }}'
+          severity: 'CRITICAL,HIGH'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'