feat: daily vuln scanner (#221)

mchmarny · web-flow · commit f2c34d7b1766 · 2025-10-30T19:01:55.000Z
diff --git a/.github/workflows/vuln-scan.yml b/.github/workflows/vuln-scan.yml
@@ -0,0 +1,74 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Daily Vulnerability Scan
+
+on:
+  schedule:
+    - cron: '30 7 * * *'
+  workflow_dispatch: {}  # allow manual runs for testing
+  pull_request:  # add itself for testing changes to this workflow
+    paths:
+      - '.github/workflows/vuln-scan.yml'
+
+permissions:
+  contents: read
+  actions: read
+  security-events: write  # required to upload SARIF
+
+concurrency:
+  group: scheduled-trivy-scan
+  cancel-in-progress: false
+
+env:
+  SARIF_OUTPUT: 'vulnerability-scan-results.sarif'
+  SEVERITY_LEVELS: 'HIGH,CRITICAL'
+
+jobs:
+  trivy-repo-scan:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+
+      - name: Scan Repo
+        continue-on-error: true
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8  # v0.33.1
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          vuln-type: 'os,library'
+          scanners: 'vuln,secret,misconfig'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: ${{ env.SARIF_OUTPUT }}
+          severity: ${{ env.SEVERITY_LEVELS }}
+          skip-dirs: 'vendor,node_modules,distros/kubernetes'
+          limit-severities-for-sarif: true
+
+      - name: Check SARIF file exists
+        id: check_sarif
+        run: |
+          if [ -f "${{ env.SARIF_OUTPUT }}" ]; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Upload Report
+        if: steps.check_sarif.outputs.exists == 'true'
+        uses: github/codeql-action/upload-sarif@17783bfb99b07f70fae080b654aed0c514057477  # v2.23.3
+        with:
+          sarif_file: ${{ env.SARIF_OUTPUT }}
