[DSEC-907] Notify AppSec team when Trivy action fails (#337)

* Notify AppSec team when Trivy action fails * Edit workflow * Edit workflow * Improve workflow * Update .github/workflows/trivy.yml Co-authored-by: Adam Nichols <aednichols@gmail.com> --------- Co-authored-by: Adam Nichols <aednichols@gmail.com>
broadinstitute · Jul 25, 2024 · 8168994 · 8168994
1 parent c7f001b
commit 8168994
Showing 1 changed file with 17 additions and 9 deletions.
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -2,22 +2,30 @@ name: dsp-appsec-trivy
 on:
   pull_request:
   schedule:
-    - cron: '0 14 * * 1' # each Monday at 9am EST
+    - cron: '23 1 * * 0'
 
 jobs:
   appsec-trivy:
     # Parse Dockerfile and build, scan image if a "blessed" base image is not used
     name: DSP AppSec Trivy check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-
-      - uses: broadinstitute/dsp-appsec-trivy-action@v1
+      - name: Checkout code
+        uses: actions/checkout@v3
         with:
-          sarif: trivy-results.sarif
+          fetch-depth: 0
+
+      - name: Run Trivy scan
+        uses: broadinstitute/dsp-appsec-trivy-action@v1
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
-        if: ${{ !github.base_ref }} # omit upload on PRs
+      - name: Notify in Slack
+        if: failure()
+        uses: broadinstitute/action-slack@v3.15.0
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
         with:
-          sarif_file: trivy-results.sarif
+          status: ${{ job.status }}
+          channel: "trivy-weekly-scans-notblessedimages"
+          username: "Agora Trivy scan"
+          icon_emoji: ':alert_red_light:'
+          text: 'Agora Trivy scan failure. <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|Click here> to see the run.'