Merge pull request #438 from DopplerHQ/bin-scan

chore: scan latest container image for vulnz on schedule
DopplerHQ · Oct 19, 2023 · 1bfa1cf · 1bfa1cf
2 parents 3952f04 + 9a85c53
commit 1bfa1cf
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 2 deletions.
diff --git a/.github/workflows/binary-scanner.yaml b/.github/workflows/binary-scanner.yaml
@@ -0,0 +1,23 @@
+name: Binary Scanner
+
+on:
+  schedule:
+    - cron: '28 1 * * *'
+
+jobs:
+  scan:
+    name: Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Pull image
+        run: |
+          docker pull dopplerhq/cli:latest
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/dopplerhq/cli:latest'
+          exit-code: '1'
+          ignore-unfixed: true
+          scanners: vuln
diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml
@@ -1,6 +1,10 @@
 name: Vulncheck
 
-on: [pull_request, push]
+on:
+  pull_request:
+  push:
+  schedule:
+    - cron: '28 1 * * *'
 
 permissions:
   contents: read # to fetch code (actions/checkout)
@@ -15,7 +19,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.21.0
+          go-version: '1.21'
           check-latest: true
       - name: Get official govulncheck
         run: go install golang.org/x/vuln/cmd/govulncheck@latest

diff --git a/pkg/http/http.go b/pkg/http/http.go
@@ -272,6 +272,7 @@ func request(req *http.Request, verifyTLS bool, allowTimeout bool) (*http.Respon
 }
 
 func performSSERequest(req *http.Request, verifyTLS bool, handler func([]byte)) (int, http.Header, error) {
+	// nosemgrep: trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable
 	response, requestErr := request(req, verifyTLS, false)
 	if requestErr != nil {
 		statusCode := 0