1+ name : Check outdated scanners
2+ on :
3+ push :
4+ schedule :
5+ - cron : " 15 9 * * *" # Daily at 9:15 (avoids the beginning of the hour congestion)
6+ jobs :
7+ version-compare :
8+ runs-on : ubuntu-latest
9+ strategy :
10+ matrix :
11+ scanner :
12+ - amass # Scanner that needs to be updated
13+ - angularjs-csti-scanner # Scanner that does not need to be updated
14+ # - gitleaks
15+ # - kube-hunter
16+ # - kubeaudit
17+ # - ncrack
18+ # - nuclei
19+ # - ssh-scan
20+ # - sslyze
21+ # - trivy
22+ # - whatweb
23+ # - wpscan
24+ # - zap
25+ # - zap-advanced
26+ # These are commented out for the moment to avoid accidental multiple erroneous PRs
27+ # missing scanners are : nmap, nikto, typo3scan
28+ steps :
29+ - uses : actions/checkout@v2
30+
31+ - name : Import GPG key
32+ uses : crazy-max/ghaction-import-gpg@v3
33+ with :
34+ gpg-private-key : ${{ secrets.GPG_COMMITS_PRIVATE_KEY }}
35+ passphrase : ${{ secrets.GPG_COMMITS_PASSPHRASE }}
36+ git-user-signingkey : true
37+ git-commit-gpgsign : true
38+
39+ - name : Fetch scanner's version API
40+ uses : mikefarah/yq@v4.4.1
41+ with :
42+ cmd : echo versionApi=$(yq e .versionApi scanners/${{ matrix.scanner }}/Chart.yaml) >> $GITHUB_ENV
43+
44+ - name : Fetch latest release scanner version
45+ run : echo release=$((curl -sL ${{env.versionApi}} ) | jq -r ".tag_name") | tr -d "v" >> $GITHUB_ENV
46+
47+ - name : Fetch local scanner version
48+ uses : mikefarah/yq@v4.4.1
49+ with :
50+ cmd : echo local=$(yq e .appVersion scanners/${{ matrix.scanner }}/Chart.yaml) | tr -d "v" >> $GITHUB_ENV
51+
52+ - name : Check if scanner is outdated and if PR already exists
53+ if : ${{ env.release != env.local }}
54+ run : |
55+ echo 'The ${{ matrix.scanner }} scanner is outdated. Current SCB version is ${{env.local}} and remote version is ${{env.release}}'
56+
57+ pullRequestTitle="[SCB-Bot] Upgraded ${{ matrix.scanner }} from ${{env.local}} to ${{env.release}}"
58+ echo pullRequest=$pullRequestTitle >> $GITHUB_ENV
59+
60+ echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token
61+ echo prExists=$(gh pr list --state open --limit 100 | grep -F "$pullRequestTitle" -c) >> $GITHUB_ENV
62+
63+ name : Upgrade Scanner
64+ if : ${{ env.release != env.local && env.prExists == 0 }}
65+ uses : mikefarah/yq@v4.4.1
66+ with :
67+ # appVersion value in chart is replaced with release value. Empty lines are deleted in the process
68+ cmd : yq e --inplace '.appVersion = "v${{env.release}}"' ./scanners/${{ matrix.scanner }}/Chart.yaml
69+
70+ - name : Create Pull Request
71+ if : ${{ env.release != env.local && env.prExists == 0 }}
72+ uses : peter-evans/create-pull-request@v3
73+ with :
74+ token : ${{ secrets.GITHUB_TOKEN }}
75+ committer : secureCodeBoxBot <securecodebox@iteratec.com>
76+ author : secureCodeBoxBot <securecodebox@iteratec.com>
77+ title : ${{ env.pullRequest }}
78+ body : " This is an automated Pull Request by the SCB-Bot. It upgrades ${{ matrix.scanner }} from ${{env.local}} to ${{env.release}}"
79+ branch : " dependencies/upgrading-${{ matrix.scanner }}-to-${{env.release}}"
80+ labels : dependencies,scanner
81+ commit-message : " Upgrading ${{ matrix.scanner }} from ${{env.local}} to ${{env.release}}"
82+ signoff : true
83+ base : main
0 commit comments