Merge branch 'feature/vulnerability_scan' into 'master'

feat: use esp-idf-sbom-action for vulnerability scan Closes IDF-8805 and IDF-5187 See merge request espressif/esp-idf!27688
2024-10-05 20:47:46 -04:00 · 2023-12-11 21:57:05 +08:00 · 2023-12-11 21:57:05 +08:00 · 558392b998
commit 558392b998
parent a4c80b5fce 5ec411679b
1 changed files with 34 additions and 0 deletions
--- a/.github/workflows/vulnerability_scan.yml
+++ b/.github/workflows/vulnerability_scan.yml
@ -0,0 +1,34 @@
+name: Vulnerability scan
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  vulnerability-scan:
+    strategy:
+      # We don't want to run all jobs in parallel, because this would
+      # overload NVD and we would get 503
+      max-parallel: 1
+      matrix:
+        # References/branches which should be scanned for vulnerabilities are
+        # defined in the VULNERABILITY_SCAN_REFS variable as json list.
+        # For example: ['master', 'release/v5.2', 'release/v5.1', 'release/v5.0', 'release/v4.4']
+        ref: ${{ fromJSON(vars.VULNERABILITY_SCAN_REFS) }}
+    name: Vulnerability scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+          ref: ${{ matrix.ref }}
+
+      - name: Vulnerability scan
+        env:
+          SBOM_MATTERMOST_WEBHOOK: ${{ secrets.SBOM_MATTERMOST_WEBHOOK }}
+          NVDAPIKEY: ${{ secrets.NVDAPIKEY }}
+        uses: espressif/esp-idf-sbom-action@master
+        with:
+          ref: ${{ matrix.ref }}