diff --git a/.github/workflows/nightly-vuln-scanning.yml b/.github/workflows/nightly-vuln-scanning.yml index ad7b957f..432c8847 100644 --- a/.github/workflows/nightly-vuln-scanning.yml +++ b/.github/workflows/nightly-vuln-scanning.yml @@ -1,6 +1,10 @@ name: Run nightly vulnerability check on: + push: + branches: + - main + - container-vuln-scanner schedule: - cron: '0 0 * * *' @@ -21,7 +25,7 @@ jobs: id: runscanner continue-on-error: true with: - image-ref: 'ghcr.io/pulibrary/dpul-collections:main' + image-ref: 'ghcr.io/pulibrary/dpul-collections:pr-51' format: 'table' exit-code: '1' ignore-unfixed: true @@ -53,3 +57,13 @@ jobs: with: filename: .github/failed-vuln-check.md update_existing: true + - name: Find existing security issue + id: issues + if: job.steps.runscanner.status == success() + uses: lee-dohm/select-matching-issues@v1 + with: + query: 'Container Vulnerability Scanner Failed is:open ' + token: ${{ secrets.GITHUB_TOKEN }} + - name: Close found issues + if: job.steps.runscanner.status == success() + run: cat ${{ steps.bugs.outputs.path }} | xargs gh issue close -c 'Container Scan Passing on Merge to Main'