| | name: Security Scan |
| |
|
| | on: |
| | schedule: |
| | - cron: '0 0 * * 0' |
| | workflow_dispatch: |
| |
|
| | jobs: |
| | check-repository: |
| | runs-on: ubuntu-latest |
| | outputs: |
| | is_original: ${{ steps.check.outputs.is_original }} |
| | steps: |
| | - id: check |
| | run: | |
| | if [ "${{ github.repository }}" = "ErlichLiu/DeepClaude" ]; then |
| | echo "is_original=true" >> $GITHUB_OUTPUT |
| | else |
| | echo "is_original=false" >> $GITHUB_OUTPUT |
| | fi |
| | |
| | scan: |
| | needs: check-repository |
| | if: needs.check-repository.outputs.is_original == 'true' |
| | runs-on: ubuntu-latest |
| | steps: |
| | - uses: actions/checkout@v4 |
| |
|
| | - name: Set lowercase variables |
| | run: | |
| | OWNER_LOWER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]') |
| | REPO_NAME_LOWER=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]') |
| | echo "OWNER_LOWER=$OWNER_LOWER" >> $GITHUB_ENV |
| | echo "REPO_NAME_LOWER=$REPO_NAME_LOWER" >> $GITHUB_ENV |
| | |
| | - name: Run Trivy vulnerability scanner |
| | uses: aquasecurity/trivy-action@master |
| | with: |
| | image-ref: ghcr.io/${{ env.OWNER_LOWER }}/${{ env.REPO_NAME_LOWER }}:latest |
| | format: 'table' |
| | exit-code: '1' |
| | ignore-unfixed: true |
| | severity: 'CRITICAL' |
