.github/workflows/scan.yml

---
name: Scan

on:
  schedule:
    - cron: '0 0 * * *'
env:
  IMAGE_NAME: opendatacube/explorer

jobs:
  cve-scanner:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout git
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          branch: develop

      - name: Get unstable git tag
        run: >
          echo "UNSTABLE_TAG=$(git describe --tags)" >> $GITHUB_ENV

      - name: Log the unstable tag
        run: echo $UNSTABLE_TAG

      - name: Build unstable + latest Docker image tag
        if: github.event_name != 'release'
        uses: whoan/docker-build-with-cache-action@v8
        with:
          image_name: ${{ env.IMAGE_NAME }}
          image_tag: ${{ env.UNSTABLE_TAG }},latest
          build_extra_args: "--build-arg=ENVIRONMENT=deployment"
          push_image_and_stages: false

      - name: Run vulnerability scanner
        if: github.event_name != 'release'
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "${{ env.IMAGE_NAME }}:${{ env.UNSTABLE_TAG }}"
          format: 'sarif'
          output: 'trivy-results.sarif'
          ignore-unfixed: true
          vuln-type: 'library'
          severity: "CRITICAL,HIGH"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'