mirror of
https://github.com/espressif/esp-idf
synced 2025-03-09 09:09:10 -04:00
e9cfa83983
esp-idf-sbom offers two ways to perform vulnerability scanning. The primary method, which is the default, uses the NVD REST API. The alternative method uses the esp-nvd-mirror repository. If there are issues with accessing the NVD REST API, it can be useful to switch to the esp-nvd-mirror easily. Allow to set the SBOM_CHECK_LOCAL_DB github repository variable to switch to esp-nvd-mirror. Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
36 lines
1.1 KiB
YAML
36 lines
1.1 KiB
YAML
name: Vulnerability scan
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 0 * * *'
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
vulnerability-scan:
|
|
strategy:
|
|
# We don't want to run all jobs in parallel, because this would
|
|
# overload NVD and we would get 503
|
|
max-parallel: 1
|
|
matrix:
|
|
# References/branches which should be scanned for vulnerabilities are
|
|
# defined in the VULNERABILITY_SCAN_REFS variable as json list.
|
|
# For example: ['master', 'release/v5.2', 'release/v5.1', 'release/v5.0', 'release/v4.4']
|
|
ref: ${{ fromJSON(vars.VULNERABILITY_SCAN_REFS) }}
|
|
name: Vulnerability scan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
submodules: recursive
|
|
ref: ${{ matrix.ref }}
|
|
|
|
- name: Vulnerability scan
|
|
env:
|
|
SBOM_CHECK_LOCAL_DB: ${{ vars.SBOM_CHECK_LOCAL_DB }}
|
|
SBOM_MATTERMOST_WEBHOOK: ${{ secrets.SBOM_MATTERMOST_WEBHOOK }}
|
|
NVDAPIKEY: ${{ secrets.NVDAPIKEY }}
|
|
uses: espressif/esp-idf-sbom-action@master
|
|
with:
|
|
ref: ${{ matrix.ref }}
|