feat(ci): add periodic and ad hoc vulnerability scan

esp-idf-sbom allows to scan whole repository/directory for all possible manifest files(idf_component.yml, sbom.yml and its referenced manifests, .gitmodules) and check them for possible vulnerabilities based on the cpe variable in manifest. This adds scheduled scan at every midnight and also ad hoc(dispatch workflow) allowing to scan on demand. Simple message with overall status and job link is sent to mattermost channel via webhook specified with MATTERMOST_WEBHOOK secret. Signed-off-by: Frantisek Hrbata <[email protected]>
espressif · Oct 4, 2023 · 9a3764c · 9a3764c
1 parent d913100
commit 9a3764c
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/.github/workflows/vulnerability_scan.yml b/.github/workflows/vulnerability_scan.yml
@@ -0,0 +1,33 @@
+name: Vulnerability scan
+
+on:
+  schedule:
+     - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  vulnerability-scan:
+    name: Vulnerability scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install esp-idf-sbom
+        run: pip3 install esp-idf-sbom
+      - name: Vulnerability scan
+        shell: bash
+        env:
+          MATTERMOST_WEBHOOK: ${{ secrets.MATTERMOST_WEBHOOK }}
+        run: |
+          JOB_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
+          USER_NAME="idf-extra-components"
+          python3 -m esp_idf_sbom manifest check
+          if [ $? -eq 0 ]
+          then
+            MSG=":large_green_circle: No vulnerabilities found"
+          else
+            MSG=":large_red_circle: New vulnerabilities found"
+          fi
+          curl --no-progress-meter -i -X POST -H 'Content-Type: application/json'\
+               -d "{\"username\": \"${USER_NAME}\", \"text\": \"${MSG} ${JOB_URL}\"}"\
+                 "$MATTERMOST_WEBHOOK"