From e6bbaa2ba630b86affae5b9c5b14e36d4d7b38ca Mon Sep 17 00:00:00 2001
From: Quentin McGaw <quentin.mcgaw@gmail.com>
Date: Wed, 25 Mar 2020 18:21:36 -0400
Subject: [PATCH] Security analysis workflow

---
 .github/workflows/security.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 .github/workflows/security.yml

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 00000000..0f113372
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,30 @@
+name: Security scan of Docker image
+on:
+  push:
+  schedule:
+    - cron: '0 9 * * *'
+jobs:
+  security-analysis:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Check for scratch
+        id: scratchCheck
+        run: echo ::set-output name=scratch::$(cat Dockerfile | grep 'FROM scratch')
+      - name: Build image
+        if: steps.scratchCheck.outputs.scratch == ''
+        run: docker build -t image .
+      - name: Phonito
+        if: steps.scratchCheck.outputs.scratch == ''
+        uses: phonito/phonito-scanner-action@master
+        with:
+          image: image
+          fail-level: LOW
+          phonito-token: ${{ secrets.PHONITO_TOKEN }}
+      - name: Trivy
+        if: steps.scratchCheck.outputs.scratch == ''
+        uses: homoluctus/gitrivy@v1.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          image: image