| name: Security Scan |
|
|
| on: |
| schedule: |
| - cron: '0 0 * * 0' |
| workflow_dispatch: |
|
|
| jobs: |
| check-repository: |
| runs-on: ubuntu-latest |
| outputs: |
| is_original: ${{ steps.check.outputs.is_original }} |
| steps: |
| - id: check |
| run: | |
| if [ "${{ github.repository }}" = "ErlichLiu/DeepClaude" ]; then |
| echo "is_original=true" >> $GITHUB_OUTPUT |
| else |
| echo "is_original=false" >> $GITHUB_OUTPUT |
| fi |
| |
| scan: |
| needs: check-repository |
| if: needs.check-repository.outputs.is_original == 'true' |
| runs-on: ubuntu-latest |
| steps: |
| - uses: actions/checkout@v4 |
|
|
| - name: Set lowercase variables |
| run: | |
| OWNER_LOWER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]') |
| REPO_NAME_LOWER=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]') |
| echo "OWNER_LOWER=$OWNER_LOWER" >> $GITHUB_ENV |
| echo "REPO_NAME_LOWER=$REPO_NAME_LOWER" >> $GITHUB_ENV |
| |
| - name: Run Trivy vulnerability scanner |
| uses: aquasecurity/trivy-action@master |
| with: |
| image-ref: ghcr.io/${{ env.OWNER_LOWER }}/${{ env.REPO_NAME_LOWER }}:latest |
| format: 'table' |
| exit-code: '1' |
| ignore-unfixed: true |
| severity: 'CRITICAL' |
