chore(deps): update github/codeql-action action to v3.26.9 #348

Workflow file for this run

	name: Trivy Scan

	on:
	push:
	schedule:
	- cron: '0 0 * * 1'

	permissions:
	contents: read

	jobs:
	prepare:
	name: Prepare list of images to build
	runs-on: ubuntu-latest
	outputs:
	images: ${{ steps.set-matrix.outputs.images }}
	steps:
	- name: Check out the source code
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Set matrix
	id: set-matrix
	run: echo images="$(jq '."x-build"' images/src/*/.devcontainer.json \| jq --slurp -c .)" >> "${GITHUB_OUTPUT}"

	scan-image:
	needs: prepare
	name: 'Build and Scan: ${{ matrix.image.name }}'
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: read
	security-events: write
	strategy:
	fail-fast: false
	matrix:
	image: ${{ fromJson(needs.prepare.outputs.images) }}
	steps:
	- name: Check out the source code
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	with:
	fetch-depth: 0

	- name: Check changed files
	id: changes
	run: \|
	if [ "${{ github.event_name }}" = "push" ]; then
	base="${{ github.event.before }}"
	head="${{ github.event.after }}"
	image="images/src/${{ matrix.image.image-name }}"
	changes="$(git diff --name-only "${base}" "${head}" -- "${image}" \| grep -Fv "${image}/README.md" \|\| true)"
	if [ -n "${changes}" ]; then
	echo needs_build=true >> "${GITHUB_OUTPUT}"
	else
	echo needs_build=false >> "${GITHUB_OUTPUT}"
	fi
	else
	echo needs_build=true >> "${GITHUB_OUTPUT}"
	fi

	- name: Set up QEMU
	uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
	if: steps.changes.outputs.needs_build == 'true'

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
	if: steps.changes.outputs.needs_build == 'true'

	- name: Install @devcontainers/cli
	run: npm install -g @devcontainers/cli
	if: steps.changes.outputs.needs_build == 'true'

	- name: Build image
	run: devcontainer build --workspace-folder "images/src/${{ matrix.image.image-name }}" --image-name ${{ matrix.image.image-name }}
	if: steps.changes.outputs.needs_build == 'true'

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
	if: ${{ steps.changes.outputs.needs_build == 'true' && github.event.sender.login != 'dependabot[bot]' }}
	with:
	image-ref: '${{ matrix.image.image-name }}:latest'
	format: sarif
	output: trivy-${{ matrix.image.image-name }}.sarif

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@461ef6c76dfe95d5c364de2f431ddbd31a417628 # v3.26.9
	if: ${{ steps.changes.outputs.needs_build == 'true' && github.event.sender.login != 'dependabot[bot]' }}
	with:
	sarif_file: trivy-${{ matrix.image.image-name }}.sarif

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
	if: steps.changes.outputs.needs_build == 'true'
	with:
	image-ref: '${{ matrix.image.image-name }}:latest'
	format: table

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update github/codeql-action action to v3.26.9 #348

Workflow file

chore(deps): update github/codeql-action action to v3.26.9 #348

Jobs

Run details

Workflow file for this run