split scans and cause a vulnerability

.github/actions/scan.yaml

@@ -0,0 +1,32 @@
+name: scan
+description: |
+  This builds the Docker image and scans it with Trivy.
+inputs:
+  format:
+    description: "The format of the output file. Can be 'table' or 'sarif'."
+    required: true
+    default: "table"
+  output:
+    description: "The output file when using 'sarif' format."
+    default: "trivy-results.sarif"
+runs:
+  steps:
+    - uses: docker/setup-qemu-action@v3
+      with:
+        platforms: amd64
+    - uses: docker/setup-buildx-action@v3
+    - uses: actions/checkout@v4
+    - run: make docker-build
+    - uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: local/kubegres:scan-amd64
+        exit-code: 1
+        ignore-unfixed: false
+        severity: 'CRITICAL,HIGH,MEDIUM'
+        format: {{ inputs.format }}
+        output: {{ inputs.output }}
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      if: ${{ inputs.format == 'sarif' }}
+      with:
+        sarif_file: {{ inputs.output }}

.github/workflows/daily.yaml

@@ -0,0 +1,17 @@
+name: Scan
+
+on:
+  schedule:
+    - cron: '16 30 * * *'
+
+env:
+  GOPROXY: https://proxy.golang.org
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ./.github/actions/scan
+        with:
+            format: 'sarif'
+            output: 'trivy-results.sarif'

.github/workflows/scan.yaml

@@ -18,26 +18,7 @@ env:
 jobs:
   scan:
     runs-on: ubuntu-latest
-    env:
-      IMG: local/kubegres:scan
-      PLATFORMS: linux/amd64
     steps:
-      - uses: docker/setup-qemu-action@v3
+      - uses: ./.github/actions/scan
         with:
-          platforms: amd64
-      - uses: docker/setup-buildx-action@v3
-      - uses: actions/checkout@v4
-      - run: make docker-build
-      - uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: local/kubegres:scan-amd64
-          exit-code: 1
-          ignore-unfixed: true
-          severity: 'CRITICAL,HIGH,MEDIUM'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        if: always()
-        with:
-          sarif_file: 'trivy-results.sarif'
+          format: 'table'

go.mod

@@ -61,7 +61,7 @@ require (
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.19.1 // indirect
 	golang.org/x/crypto v0.17.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/net v0.10.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
 	golang.org/x/sys v0.15.0 // indirect
 	golang.org/x/term v0.15.0 // indirect

go.sum

@@ -635,8 +635,8 @@ golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=