format: GitHub actions yaml (#6)

goodwithtech · Dec 25, 2019 · e3cc4e5 · e3cc4e5
1 parent 207d892
commit e3cc4e5
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 27 deletions.
diff --git a/.github/workflows/scheduled-scan.yml b/.github/workflows/scheduled-scan.yml
@@ -1,28 +1,40 @@
-name: Scan with trivy
+name: Scan the target image with trivy
 on:
   schedule:
-    - cron:  '0 0 * * *'
+      - cron:  '0 0 * * *'
 jobs:
   scan:
     name: Scan via trivy
     runs-on: ubuntu-latest
     env:
-      IMAGE: goodwithtech/dockle
-      # "*v0.2*" pattern
-      FILTER: v0.2
+      IMAGE: goodwithtech/dockle # target image name
+      FILTER: v0.2    # pattern : /*v0.2*/
     steps:
-      - name: Fetch last tag
-        id: versions
+      - name: detect a target image tag
+        id: target
+        run: echo ::set-output name=ver::$(
+            docker run --rm goodwithtech/dockertags -contain $FILTER -limit 1 -format json $IMAGE
+            | jq -r .[0].tags[0]
+            )
+      - name: detect a trivy image tag
+        id: trivy
+        run: echo ::set-output name=ver::$(
+            docker run --rm goodwithtech/dockertags -limit 1 -format json aquasec/trivy
+            | jq -r .[0].tags[0]
+            )
+      - name: check tags
         run: |
-          echo ::set-output name=trivy::$(docker run --rm goodwithtech/dockertags -limit 1 -format json aquasec/trivy | jq -r .[0].tags[0])
-          echo ::set-output name=target::$(docker run --rm goodwithtech/dockertags -contain $FILTER -limit 1 -format json $IMAGE | jq -r .[0].tags[0])
-      - name: Scan image for vulnerabilities
-        run: docker run aquasec/trivy:${{ steps.versions.outputs.trivy }} --exit-code 1 --no-progress $IMAGE:${{ steps.versions.outputs.target }}
-      - name: Slack Notification
+          echo trivy ${{ steps.trivy.outputs.ver }}
+          echo $IMAGE ${{ steps.target.outputs.ver }}
+      - name: scan the image with trivy
+        run: docker run aquasec/trivy:${{ steps.trivy.outputs.ver }}
+          --cache-dir /var/lib/trivy --exit-code 1 --no-progress
+          $IMAGE:${{ steps.target.outputs.ver }}
+      - name: notify to slack
         if: failure()
         uses: rtCamp/action-slack-notify@master
         env:
-          SLACK_CHANNEL: channel # set target channel name
+          SLACK_CHANNEL: channel  # target channel
           SLACK_MESSAGE: 'failed : trivy detects vulnerabilities'
           SLACK_TITLE: trivy-scan-notifier
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
diff --git a/README.md b/README.md
@@ -72,28 +72,39 @@ You can scan target image everyday recently updated.<br />
 This actions also notify results if trivy detects vulnerabilities.
 
 ```
-name: Scan with trivy
+name: Scan the target image with trivy
 on:
   schedule:
-    - cron:  '0 0 * * *'
+      - cron:  '0 0 * * *'
 jobs:
   scan:
     name: Scan via trivy
     runs-on: ubuntu-latest
     env:
-      IMAGE: goodwithtech/dockle
-      FILTER: v0.2    # tags pattern *v0.2*
+      IMAGE: goodwithtech/dockle # target image name
+      FILTER: v0.2    # pattern : /*v0.2*/
     steps:
-      - name: Fetch last tag
-        id: versions
+      - name: detect a target image tag
+        id: target
+        run: echo ::set-output name=ver::$(
+            docker run --rm goodwithtech/dockertags -contain $FILTER -limit 1 -format json $IMAGE
+            | jq -r .[0].tags[0]
+            )
+      - name: detect a trivy image tag
+        id: trivy
+        run: echo ::set-output name=ver::$(
+            docker run --rm goodwithtech/dockertags -limit 1 -format json aquasec/trivy
+            | jq -r .[0].tags[0]
+            )
+      - name: check tags
         run: |
-          echo ::set-output name=trivy::$(docker run --rm goodwithtech/dockertags -limit 1 -format json aquasec/trivy | jq -r .[0].tags[0])
-          echo ::set-output name=target::$(docker run --rm goodwithtech/dockertags -contain $FILTER -limit 1 -format json $IMAGE | jq -r .[0].tags[0])
-      - name: Scan image for vulnerabilities
-        run: |
-          echo ${{ steps.versions.output.target }}
-          docker run aquasec/trivy:${{ steps.versions.outputs.trivy }} --cache-dir /var/lib/trivy --exit-code 1 --no-progress $IMAGE:${{ steps.versions.outputs.target }}
-      - name: Slack Notification
+          echo trivy ${{ steps.trivy.outputs.ver }}
+          echo $IMAGE ${{ steps.target.outputs.ver }}
+      - name: scan the image with trivy
+        run: docker run aquasec/trivy:${{ steps.trivy.outputs.ver }}
+          --cache-dir /var/lib/trivy --exit-code 1 --no-progress
+          $IMAGE:${{ steps.target.outputs.ver }}
+      - name: notify to slack
         if: failure()
         uses: rtCamp/action-slack-notify@master
         env: