Vulnerability scan #374
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Vulnerability scan | |
on: | |
schedule: | |
- cron: '0 0 * * *' | |
workflow_dispatch: | |
jobs: | |
vulnerability-scan: | |
strategy: | |
# We don't want to run all jobs in parallel, because this would | |
# overload NVD and we would get 503 | |
max-parallel: 1 | |
matrix: | |
# References/branches which should be scanned for vulnerabilities are | |
# defined in the VULNERABILITY_SCAN_REFS variable as json list. | |
# For example: ['master', 'release/v5.2', 'release/v5.1', 'release/v5.0', 'release/v4.4'] | |
ref: ${{ fromJSON(vars.VULNERABILITY_SCAN_REFS) }} | |
name: Vulnerability scan | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
submodules: recursive | |
ref: ${{ matrix.ref }} | |
- name: Vulnerability scan | |
env: | |
SBOM_CHECK_LOCAL_DB: ${{ vars.SBOM_CHECK_LOCAL_DB }} | |
SBOM_MATTERMOST_WEBHOOK: ${{ secrets.SBOM_MATTERMOST_WEBHOOK }} | |
NVDAPIKEY: ${{ secrets.NVDAPIKEY }} | |
uses: espressif/esp-idf-sbom-action@master | |
with: | |
ref: ${{ matrix.ref }} |