mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
35 lines
1.0 KiB
YAML
35 lines
1.0 KiB
YAML
|
name: Vulnerability scan
|
||
|
|
||
|
on:
|
||
|
schedule:
|
||
|
- cron: '0 0 * * *'
|
||
|
workflow_dispatch:
|
||
|
|
||
|
jobs:
|
||
|
vulnerability-scan:
|
||
|
strategy:
|
||
|
# We don't want to run all jobs in parallel, because this would
|
||
|
# overload NVD and we would get 503
|
||
|
max-parallel: 1
|
||
|
matrix:
|
||
|
# References/branches which should be scanned for vulnerabilities are
|
||
|
# defined in the VULNERABILITY_SCAN_REFS variable as json list.
|
||
|
# For example: ['master', 'release/v5.2', 'release/v5.1', 'release/v5.0', 'release/v4.4']
|
||
|
ref: ${{ fromJSON(vars.VULNERABILITY_SCAN_REFS) }}
|
||
|
name: Vulnerability scan
|
||
|
runs-on: ubuntu-latest
|
||
|
steps:
|
||
|
- name: Checkout repository
|
||
|
uses: actions/checkout@v4
|
||
|
with:
|
||
|
submodules: recursive
|
||
|
ref: ${{ matrix.ref }}
|
||
|
|
||
|
- name: Vulnerability scan
|
||
|
env:
|
||
|
SBOM_MATTERMOST_WEBHOOK: ${{ secrets.SBOM_MATTERMOST_WEBHOOK }}
|
||
|
NVDAPIKEY: ${{ secrets.NVDAPIKEY }}
|
||
|
uses: espressif/esp-idf-sbom-action@master
|
||
|
with:
|
||
|
ref: ${{ matrix.ref }}
|