rasa-custom/.github/workflows/vulnerability-scan.yml at 2.4.3-custom · YouBotTeam/rasa-custom · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
name: Vulnerability Scan

on:
  schedule:
    # Run every third day
    - cron: 0 0 * * */3

jobs:
  scan:
    name: Vulnerability scan
    runs-on: ubuntu-latest

    env:
      DOCKERFILE: Dockerfile_with_poetry_lock

    steps:
    - name: Checkout git repository 🕝
      uses: actions/checkout@v2

    - name: Add poetry.lock 🔒
      # Trivy depends on the presence of `poetry.lock` to scan Python dependencies
      run: |
        BASE_IMAGE=rasa/rasa:latest-full
        docker pull $BASE_IMAGE

        # Create Dockerfile which includes poetry.lock
        tee -a $DOCKERFILE << END
        FROM $BASE_IMAGE
        COPY poetry.lock .
        END

        IMAGE_NAME=rasa/rasa:latest-scanned
        docker build -f $DOCKERFILE -t $IMAGE_NAME .

        echo "IMAGE_WITH_POETRY_LOCK=$IMAGE_NAME" >> $GITHUB_ENV

    - name: Scan image 🕵️‍♀️🕵️‍♂️
      uses: wochinge/gitrivy@995f2ce2802b337d4498e67b97b8074f2400e5bd
      with:
        # Needs the token so it can create an issue once a vulnerability was found
        token: ${{ secrets.GITHUB_TOKEN }}
        image: ${{ env.IMAGE_WITH_POETRY_LOCK }}
        ignore_unfixed: true
        issue_label: "tool:trivy,type:vulnerability"
        fail_on_vulnerabilities: true

    - name: Notify slack on failure
      if: failure()
      env:
        SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
      uses: voxmedia/github-action-slack-notify-build@212e9f7a9ca33368c8dd879d6053972128258985
      with:
        channel_id: ${{ secrets.SLACK_ALERTS_CHANNEL_ID }}
        status: FAILED
        color: danger