esp-idf/.github/workflows/vulnerability_scan.yml
Frantisek Hrbata 5ec411679b feat: use esp-idf-sbom-action for vulnerability scan
This adds a github action, which performs continuous vulnerability
scanning using the esp-idf-sbom-action github action. The test
is scheduled everyday at midnight and it's also possible to start
it as dispatched workflow. This scans all possible manifest files
in repository. The references for scanning are defined in github's
VULNERABILITY_SCAN_REFS variable and a json list. For example
['master', 'release/v5.2', 'release/v5.1', 'release/v5.0', 'release/v4.4']

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2023-12-07 10:03:54 +01:00

35 lines
1.0 KiB
YAML

name: Vulnerability scan
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
jobs:
vulnerability-scan:
strategy:
# We don't want to run all jobs in parallel, because this would
# overload NVD and we would get 503
max-parallel: 1
matrix:
# References/branches which should be scanned for vulnerabilities are
# defined in the VULNERABILITY_SCAN_REFS variable as json list.
# For example: ['master', 'release/v5.2', 'release/v5.1', 'release/v5.0', 'release/v4.4']
ref: ${{ fromJSON(vars.VULNERABILITY_SCAN_REFS) }}
name: Vulnerability scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
ref: ${{ matrix.ref }}
- name: Vulnerability scan
env:
SBOM_MATTERMOST_WEBHOOK: ${{ secrets.SBOM_MATTERMOST_WEBHOOK }}
NVDAPIKEY: ${{ secrets.NVDAPIKEY }}
uses: espressif/esp-idf-sbom-action@master
with:
ref: ${{ matrix.ref }}