---
name: vulnscan

on:
  schedule:
  - cron: '7 4 * * 4'  # weekly on thursday morning

jobs:
  scan-released-dockerimages:
    runs-on: ubuntu-latest
    env:
      TRIVY_LIGHT: 'true'
      TRIVY_IGNORE_UNFIXED: 'true'
      TRIVY_REMOVED_PKGS: 'true'
    steps:
    - name: Install Trivy
      run: |
        mkdir -p $GITHUB_WORKSPACE/bin
        echo "::add-path::$GITHUB_WORKSPACE/bin"
        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b $GITHUB_WORKSPACE/bin
    - name: Download Trivy DB
      run: |
        trivy image --download-db-only
    - name: Scan vulnerabilities using Trivy
      run: |
        trivy --version

        ALL_IMAGES="$(curl -s https://hub.docker.com/v2/repositories/cmur2/dyndnsd/tags?page_size=1000 | jq -r '.results[].name | "cmur2/dyndnsd:" + .' | grep -e 'cmur2/dyndnsd:v' | sort -r)"
        EXIT_CODE=0
        set -e
        for major_version in $(seq 1 10); do
          for image in $ALL_IMAGES; do
            if [[ "$image" = cmur2/dyndnsd:v$major_version.* ]]; then
              echo -n "\nScanning newest patch release $image of major v$major_version...\n"
              if ! trivy image --skip-update --exit-code 1 "$image"; then
                EXIT_CODE=1
              fi
              break
            fi
          done
        done
        exit "$EXIT_CODE"