From 5ec411679bd610c44eb64755f8a36900cebdf4d9 Mon Sep 17 00:00:00 2001 From: Frantisek Hrbata Date: Tue, 5 Dec 2023 19:39:12 +0100 Subject: [PATCH] feat: use esp-idf-sbom-action for vulnerability scan This adds a github action, which performs continuous vulnerability scanning using the esp-idf-sbom-action github action. The test is scheduled everyday at midnight and it's also possible to start it as dispatched workflow. This scans all possible manifest files in repository. The references for scanning are defined in github's VULNERABILITY_SCAN_REFS variable and a json list. For example ['master', 'release/v5.2', 'release/v5.1', 'release/v5.0', 'release/v4.4'] Signed-off-by: Frantisek Hrbata --- .github/workflows/vulnerability_scan.yml | 34 ++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/vulnerability_scan.yml diff --git a/.github/workflows/vulnerability_scan.yml b/.github/workflows/vulnerability_scan.yml new file mode 100644 index 0000000000..fe775576e5 --- /dev/null +++ b/.github/workflows/vulnerability_scan.yml @@ -0,0 +1,34 @@ +name: Vulnerability scan + +on: + schedule: + - cron: '0 0 * * *' + workflow_dispatch: + +jobs: + vulnerability-scan: + strategy: + # We don't want to run all jobs in parallel, because this would + # overload NVD and we would get 503 + max-parallel: 1 + matrix: + # References/branches which should be scanned for vulnerabilities are + # defined in the VULNERABILITY_SCAN_REFS variable as json list. + # For example: ['master', 'release/v5.2', 'release/v5.1', 'release/v5.0', 'release/v4.4'] + ref: ${{ fromJSON(vars.VULNERABILITY_SCAN_REFS) }} + name: Vulnerability scan + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + submodules: recursive + ref: ${{ matrix.ref }} + + - name: Vulnerability scan + env: + SBOM_MATTERMOST_WEBHOOK: ${{ secrets.SBOM_MATTERMOST_WEBHOOK }} + NVDAPIKEY: ${{ secrets.NVDAPIKEY }} + uses: espressif/esp-idf-sbom-action@master + with: + ref: ${{ matrix.ref }}