From 11213a8d83024e177d1bc28bd85f03e2c1eb27de Mon Sep 17 00:00:00 2001
From: Guillaume Grossetie <ggrossetie@yuzutech.fr>
Date: Tue, 17 May 2022 18:43:39 +0200
Subject: [PATCH] resolves #1266 run a CVE scanner (nightly)

---
 .github/workflows/cve-scan.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 .github/workflows/cve-scan.yml

diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml
new file mode 100644
index 000000000..991aff937
--- /dev/null
+++ b/.github/workflows/cve-scan.yml
@@ -0,0 +1,22 @@
+name: "CVE Scan"
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch: { }
+jobs:
+  scan-images:
+    name: Scan latest public image
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: [ kroki, kroki-mermaid, kroki-bpmn, kroki-excalidraw, kroki-blockdiag, kroki-diagramsnet ]
+        tag: [ latest ]
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/yuzutech/${{ matrix.image }}:${{ matrix.tag }}'
+          severity: 'CRITICAL,HIGH'
+          format: 'table'
+          # we can set to 0 to avoid breaking the pipeline
+          exit-code: '1'