scan.yaml

name: Scan for vulnerabilities

on:
  pull_request:
    branches: [main]
    types: [milestoned, opened, synchronize]
  schedule:
    - cron: '0 1 * * *'
  workflow_dispatch: {}

jobs:
  scan:
    runs-on: ubuntu-latest
    name: Scan for vulnerabilities
    permissions:
      contents: read
      pull-requests: read

    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          fetch-depth: 0

      - name: Environment setup
        uses: defenseunicorns/uds-common/.github/actions/setup@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3
        with:
          username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
          password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}

      - name: Scan the repository for vulnerabilities
        run: |
          uds run grype:install
          uds run scan:vulns

      - name: Upload SARIF files 
        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2
        with:
          sarif_file: ./sarif