mirror of
https://github.com/searxng/searxng.git
synced 2025-12-25 13:10:01 +00:00
dd170964c7
All actions are pulled using the version hash, versions are handled by dependabot, and we'll have control over which actions get updated. Replaces Trivy scanner with Docker Scout, we have recently begun analyzing the images there, and the action will keep us in sync about the problems on GHCS dashboard.
47 lines
1.2 KiB
YAML
47 lines
1.2 KiB
YAML
---
|
|
name: Security
|
|
|
|
# yamllint disable-line rule:truthy
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: "42 05 * * *"
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}
|
|
cancel-in-progress: false
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
container:
|
|
if: github.repository_owner == 'searxng'
|
|
name: Container
|
|
runs-on: ubuntu-24.04-arm
|
|
permissions:
|
|
security-events: write
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
persist-credentials: "false"
|
|
|
|
- name: Sync GHCS from Docker Scout
|
|
uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
|
|
with:
|
|
organization: "searxng"
|
|
dockerhub-user: "${{ secrets.DOCKERHUB_USERNAME }}"
|
|
dockerhub-password: "${{ secrets.DOCKERHUB_TOKEN }}"
|
|
image: "registry://ghcr.io/searxng/searxng:latest"
|
|
command: "cves"
|
|
sarif-file: "./scout.sarif"
|
|
exit-code: "false"
|
|
write-comment: "false"
|
|
|
|
- name: Upload SARIFs
|
|
uses: github/codeql-action/upload-sarif@a4e1a019f5e24960714ff6296aee04b736cbc3cf # v3.29.6
|
|
with:
|
|
sarif_file: "./scout.sarif"
|