kestra/.github/workflows/vulnerabilities-check.yml

name: Vulnerabilities Checks

on:
  schedule:
    - cron: "0 0 * * *"  # Every day
  workflow_dispatch: {}

env:
  JAVA_VERSION: '21'

permissions:
  contents: read

jobs:
  dependency-check:
    name: Dependency Check
    runs-on: ubuntu-latest
    steps:
      # Checkout
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0

      # Setup build
      - uses: kestra-io/actions/composite/setup-build@main
        id: build
        with:
          java-enabled: true
          node-enabled: true

      # Npm
      - name: Npm - Install
        shell: bash
        working-directory: ui
        run: npm ci

      # Run OWASP dependency check plugin
      - name: Gradle Dependency Check
        env:
          NVD_API_KEY: ${{ secrets.NIST_APIKEY }}
        run: |
          ./gradlew dependencyCheckAggregate

        # Upload dependency check report
      - name: Upload dependency check report
        uses: actions/upload-artifact@v4
        if: ${{ always() }}
        with:
          name: dependency-check-report
          path: build/reports/dependency-check-report.html

  develop-image-check:
    name: Image Check (develop)
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      actions: read
    steps:
      # Checkout
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0

      # Setup build
      - uses: kestra-io/actions/composite/setup-build@main
        id: build
        with:
          java-enabled: false
          node-enabled: false

      # Run Trivy image scan for Docker vulnerabilities, see https://github.com/aquasecurity/trivy-action
      - name: Docker Vulnerabilities Check
        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        with:
          image-ref: kestra/kestra:develop
          format: 'template'
          template: '@/contrib/sarif.tpl'
          severity: 'CRITICAL,HIGH'
          output: 'trivy-results.sarif'
          skip-dirs: /app/plugins

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
          category: docker-

  latest-image-check:
    name: Image Check (latest)
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      actions: read
    steps:
      # Checkout
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0

      # Setup build
      - uses: kestra-io/actions/composite/setup-build@main
        id: build
        with:
          java-enabled: false
          node-enabled: false

      # Run Trivy image scan for Docker vulnerabilities, see https://github.com/aquasecurity/trivy-action
      - name: Docker Vulnerabilities Check
        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        with:
          image-ref: kestra/kestra:latest
          format: table
          skip-dirs: /app/plugins
          scanners: vuln
          severity: 'CRITICAL,HIGH'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
          category: docker-