diff --git a/.github/workflows/cve-scan.yml b/.github/workflows/cve-scan.yml new file mode 100644 index 0000000..3758be8 --- /dev/null +++ b/.github/workflows/cve-scan.yml @@ -0,0 +1,77 @@ +name: CVE Scan + +on: + push: + branches: ["main"] + tags: ["**"] + pull_request: + types: + - opened + - reopened + - synchronize + schedule: + - cron: "14 3 * * 1-5" + workflow_dispatch: + +concurrency: + group: {% raw %}${{ github.workflow }}-${{ github.ref }}{% endraw %} + cancel-in-progress: true + +jobs: + scan: + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Checkout repo + uses: actions/checkout@v4 + with: + fetch-depth: 1 + + - name: Cache requirements + uses: actions/cache@v4 + env: + cache-name: cache-requirements + with: + path: ~/.cache/pip + {% raw %}key: ${{ env.cache-name }}-${{ hashFiles('requirements.txt') }}{% endraw %} + restore-keys: | + {% raw %}${{ env.cache-name }}-{% endraw %} + + - name: Cache environment + uses: actions/cache@v4 + env: + cache-name: cache-environment + with: + path: ~/.cache/pip + {% raw %}key: ${{ env.cache-name }}-${{ hashFiles('*.lock') }}{% endraw %} + restore-keys: | + {% raw %}${{ env.cache-name }}-{% endraw %} + + - name: Setup python + uses: actions/setup-python@v5 + with: + python-version: 3.11 + + - name: Install requirements + run: make setup + + - name: Export dependencies + run: | + mkdir --parents pdm + pdm export-all > pdm/requirements.txt + + - name: Run trivy + uses: aquasecurity/trivy-action@master + with: + format: 'sarif' + list-all-pkgs: 'true' + output: 'trivy-results.sarif' + scan-ref: '.' + scan-type: 'fs' + severity: 'MEDIUM,HIGH,CRITICAL' + + - name: Publish results + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file