Skip to content

Ghaf Vulnerability Scan #398

Ghaf Vulnerability Scan

Ghaf Vulnerability Scan #398

# SPDX-FileCopyrightText: 2023 Technology Innovation Institute (TII)
#
# SPDX-License-Identifier: Apache-2.0
name: Ghaf Vulnerability Scan
on:
schedule:
- cron: "0 2 * * *"
workflow_dispatch:
jobs:
scheduled:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v26
with:
nix_path: nixpkgs=channel:nixpkgs-unstable
extra_nix_config: |
trusted-public-keys = ghaf-dev.cachix.org-1:S3M8x3no8LFQPBfHw1jl6nmP8A7cVWKntoMKN3IsEQY= cache.vedenemo.dev:8NhplARANhClUSWJyLVk4WMyy1Wb4rhmWW2u8AejH9E= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
substituters = https://ghaf-dev.cachix.org?priority=20 https://cache.vedenemo.dev https://cache.nixos.org
connect-timeout = 5
system-features = nixos-test benchmark big-parallel kvm
- name: Grype DB update
run: |
nix develop --command grype --version
nix develop --command grype db update
nix develop --command grype db status
- name: Ghaf Vulnerability Scan (main)
run: |
nix run .#ghafscan -- --verbose=2 --whitelist=manual_analysis.csv --outdir=reports/main --flakeref=github:tiiuae/ghaf?ref=main --target=packages.x86_64-linux.lenovo-x1-carbon-gen11-debug
- uses: stefanzweifel/git-auto-commit-action@v4
with:
commit_message: Automatic vulnerability report update