Skip to content

Scanner NVD update

Scanner NVD update #74

name: Scanner NVD update
on:
schedule:
- cron: '0 */4 * * *' # this runs every 4 hours
workflow_dispatch:
jobs:
fetch-cves:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GOOGLE_SA_CIRCLECI_SCANNER }}
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v2
- name: Fetch CVEs
env:
SCANNER_NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
SCANNER_NVD_URL: https://services.nvd.nist.gov/rest/json/cves/2.0
run: |
set -eu
dir=$(mktemp -d)
python3 .github/workflows/scripts/scanner-update-nvd.py "$dir"
mkdir nvd-bundle
tar -czf nvd-bundle/nvd-data.tar.gz -C "$dir" .
# TODO: ROX-20459 replace scanner v4 test bucket with product bucket
gsutil cp -r nvd-bundle gs://scanner-v4-test/
send-notification:
needs:
- fetch-cves
runs-on: ubuntu-latest
if: failure()
steps:
- name: Send Slack notification on workflow failure
run: |
curl -X POST -H 'Content-type: application/json' --data '{"text":"Workflow failed in workflow ${{ github.workflow }} in repository ${{ github.repository }}: Failed to update NVD CVEs"}' ${{ secrets.SLACK_ONCALL_SCANNER_WEBHOOK }}