diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 000000000000..8344323d726f --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,48 @@ +name: Vulnerability Scanning with Trivy +on: + workflow_dispatch: + schedule: + - cron: '0 0 * * *' # Test Trivy daily at midnight + +env: + GOCOVERDIR: ${{ ( github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' ) && '/home/runner/work/lxd/lxd/coverage' || '' }} + +permissions: + contents: read + security-events: write # for uploading SARIF results to the security tab + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }} + cancel-in-progress: true + +defaults: + run: + # Make sure bash is always invoked with `-eo pipefail` + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell + shell: bash + +jobs: + trivy-repo: + name: Trivy vulnerability scanner - Repository + runs-on: ubuntu-22.04 + if: ${{ ( github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' ) }} + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: main + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: "fs" + ignore-unfixed: true + format: "sarif" + output: "trivy-lxd-repo-scan-results.sarif" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "trivy-lxd-repo-scan-results.sarif" + sha: ${{ env.GITHUB_SHA }} + ref: refs/heads/main diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 3b495df707ef..180a20659865 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -7,7 +7,7 @@ on: pull_request: workflow_dispatch: schedule: - - cron: '0 0 * * *' # Test TICS daily + - cron: '0 0 * * *' # Test TICS and Trivy daily env: LXD_REQUIRED_TESTS: "storage_buckets"