From 072c041f9fea2207c182dc33d702ec1f9ef5871e Mon Sep 17 00:00:00 2001
From: Daniela Plascencia <daniela.plascencia@canonical.com>
Date: Wed, 16 Oct 2024 03:33:17 -0600
Subject: [PATCH] =?UTF-8?q?ci:=20enable=20scheduled=20trivy=20scanner=20an?=
 =?UTF-8?q?d=20report=20vulnerabilities=20as=20GH=20i=E2=80=A6=20(#30)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* ci: enable scheduled trivy scanner and report vulnerabilities as GH issues

This workflow enables a scheduled scanner (that can also be run from a workflow dispatch) to
scan images using the trivy scanner. At the same time, enables the automatic creation/edition
of Github issues when a vulnerability is found.

Fixes #28
---
 .github/workflows/scan_images.yaml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 .github/workflows/scan_images.yaml

diff --git a/.github/workflows/scan_images.yaml b/.github/workflows/scan_images.yaml
new file mode 100644
index 0000000..2f9d3be
--- /dev/null
+++ b/.github/workflows/scan_images.yaml
@@ -0,0 +1,21 @@
+name: Scan images
+
+on:  
+  schedule:
+    - cron: '00 23 * * *'
+  workflow_dispatch:
+
+jobs:
+
+  scan-images:
+    name: Scan published images and report vulnerabilities
+    uses: canonical/charmed-kubeflow-workflows/.github/workflows/get-published-images-scan-and-report.yaml@main
+    strategy:
+      matrix:
+        branch: [main, track/ckf-1.8]
+    secrets:
+      GH_TOKEN: ${{ secrets.GH_TOKEN }}
+    with:
+      report-vulnerabilities: true
+      severity: "HIGH,CRITICAL"
+      branch: ${{ matrix.branch }}