Skip to content

Vulnerability scan #374

Vulnerability scan

Vulnerability scan #374

name: Vulnerability scan
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
jobs:
vulnerability-scan:
strategy:
# We don't want to run all jobs in parallel, because this would
# overload NVD and we would get 503
max-parallel: 1
matrix:
# References/branches which should be scanned for vulnerabilities are
# defined in the VULNERABILITY_SCAN_REFS variable as json list.
# For example: ['master', 'release/v5.2', 'release/v5.1', 'release/v5.0', 'release/v4.4']
ref: ${{ fromJSON(vars.VULNERABILITY_SCAN_REFS) }}
name: Vulnerability scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: recursive
ref: ${{ matrix.ref }}
- name: Vulnerability scan
env:
SBOM_CHECK_LOCAL_DB: ${{ vars.SBOM_CHECK_LOCAL_DB }}
SBOM_MATTERMOST_WEBHOOK: ${{ secrets.SBOM_MATTERMOST_WEBHOOK }}
NVDAPIKEY: ${{ secrets.NVDAPIKEY }}
uses: espressif/esp-idf-sbom-action@master
with:
ref: ${{ matrix.ref }}