1+ name : cve
2+
3+ on :
4+ workflow_dispatch :
5+ schedule :
6+ - cron : " 30 15 */2 * *"
7+
8+ jobs :
9+ cve :
10+ runs-on : ubuntu-latest
11+ steps :
12+ - name : init / checkout
13+ uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
14+ with :
15+ ref : ${{ github.ref_name }}
16+ fetch-depth : 0
17+
18+ - name : init / setup environment
19+ uses : actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
20+ with :
21+ script : |
22+ const { existsSync, readFileSync } = require('node:fs');
23+ const { resolve } = require('node:path');
24+ const { inspect } = require('node:util');
25+ const { Buffer } = require('node:buffer');
26+ const inputs = `${{ toJSON(github.event.inputs) }}`;
27+ const opt = {input:{}, dot:{}};
28+
29+ try{
30+ if(inputs.length > 0){
31+ opt.input = JSON.parse(inputs);
32+ if(opt.input?.etc){
33+ opt.input.etc = JSON.parse(Buffer.from(opt.input.etc, 'base64').toString('ascii'));
34+ }
35+ }
36+ }catch(e){
37+ core.warning('could not parse github.event.inputs');
38+ }
39+
40+ try{
41+ const path = resolve('.json');
42+ if(existsSync(path)){
43+ try{
44+ opt.dot = JSON.parse(readFileSync(path).toString());
45+ }catch(e){
46+ throw new Error('could not parse .json');
47+ }
48+ }else{
49+ throw new Error('.json does not exist');
50+ }
51+ }catch(e){
52+ core.setFailed(e);
53+ }
54+
55+ core.info(inspect(opt, {showHidden:false, depth:null, colors:true}));
56+
57+ core.exportVariable('WORKFLOW_IMAGE', `${opt.dot.image}:${(opt.dot?.semver?.version === undefined) ? 'rolling' : opt.dot.semver.version}`);
58+ core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.dot?.grype?.severity || 'high'));
59+
60+
61+ name : grype / scan
62+ id : grype
63+ uses : anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
64+ with :
65+ image : ${{ env.WORKFLOW_IMAGE }}
66+ fail-build : true
67+ severity-cutoff : ${{ env.WORKFLOW_GRYPE_SEVERITY_CUTOFF }}
68+ output-format : ' sarif'
69+ by-cve : true
70+ cache-db : true
0 commit comments