Configure security advisory upload (#245)

Signed-off-by: Ignasi Barrera <[email protected]>
istio-ecosystem · Apr 12, 2024 · 8e2e849 · 8e2e849
1 parent 361ff2e
commit 8e2e849
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
@@ -15,6 +15,7 @@
 name: Scan
 
 on:
+ # Run scans on all commits and PRs to verify new codes does not introduce new vulnerabilities.
  push:
  branches:
  - main
@@ -24,6 +25,9 @@ on:
  branches:
  - main
  - release-**
+ # Run nightly scans to upload any new CVEs to the security advisories
+ schedule:
+ - cron: "0 0 * * *"
  workflow_dispatch: {}
 
 env:
@@ -44,6 +48,13 @@ jobs:
  - uses: actions/checkout@v4
  - run: make docker
  - uses: anchore/scan-action@v3
+ id: scan
  with:
  image: local/authservice:scan-amd64
- output-format: table
+ - run: cat ${{ steps.scan.outputs.sarif }}
+ # Do not upload the security advisories on every commit or pull request.
+ # Upload the security advisories only for the nightly scans.
+ - uses: github/codeql-action/upload-sarif@v3
+ if: ${{ github.event_name == 'schedule' }}
+ with:
+ sarif_file: ${{ steps.scan.outputs.sarif }}