security.yaml

name: 🕵🏼 Security scan

on:
  push:
    branches:
      - master
      - main
      - renovate/**
  pull_request:
  schedule:
    - cron: "0 3 * * *"

env:
  TEST_IMAGE: "newrelic/nri-statsd:test"

jobs:
  security:
    uses: newrelic/coreint-automation/.github/workflows/reusable_security.yaml@v3
    with:
      skip-dirs: "build"
      
  scan-image:
    name: Security scanner for docker image
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
          password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}

      - name: Build image
        run: |
          make build/docker-amd64
      
      - name: Run Trivy to check Docker image for vulnerabilities
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.TEST_IMAGE }}
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: "CRITICAL,HIGH"