Create malware.yml

.github/workflows/malware.yml

@@ -0,0 +1,43 @@
+name: malware-scanner
+
+on:
+  push:
+    branches:
+    - "*"
+  pull_request:
+    branches:
+    - "*"
+
+jobs:
+  malware-scanner:
+    runs-on: ubuntu-latest
+    env:
+      GROUP: demo
+      COMMIT: ${{ github.sha }}
+      REPO: infra-mon
+      DEEPFENCE_CONSOLE_URL: ${{secrets.DEEPFENCE_URL}}
+      DEEPFENCE_KEY: ${{secrets.DEEPFENCE_KEY}}
+    steps:
+    - uses: actions/checkout@v4
+
+    # Run Deepfence Malware Scanner to check for malwares in image
+    - name: Run Deepfence Malware Scanner
+      env:
+        DEEPFENCE_CONSOLE_URL: ${{ env.DEEPFENCE_CONSOLE_URL }}
+        DEEPFENCE_KEY: ${{ env.DEEPFENCE_KEY }}
+        FULL_IMAGE_NAME: ${{ env.GROUP }}/${{ env.REPO }}:${{ github.sha }}
+        NGINX: "nginx:latest" 
+        FAIL_MALWARE_COUNT: 100 # Fail build if number of malwares found is >= this number. Set -1 to pass regardless of malwares.
+        FAIL_HIGH_MALWARE_COUNT: 10 # Fail build if number of high malwares found is >= this number. Set -1 to pass regardless of high malwares.
+        FAIL_MEDIUM_MALWARE_COUNT: 20 # Fail build if number of medium malwares found is >= this number. Set -1 to pass regardless of medium malwares.
+        FAIL_LOW_MALWARE_COUNT: 50 # Fail build if number of low malwares found is >= this number. Set -1 to pass regardless of low malwares.
+      run: |
+        docker pull deepfenceio/deepfence_malware_scanner_ce:2.1.1
+        docker run -i --rm --net=host --privileged=true \
+          --cpus=0.3 \
+          -v /var/run/docker.sock:/var/run/docker.sock:rw deepfenceio/deepfence_malware_scanner_ce:2.1.1 \
+          -image-name "$NGINX" \
+          -fail-on-count=$FAIL_MALWARE_COUNT \
+          -fail-on-high-count=$FAIL_HIGH_MALWARE_COUNT \
+          -fail-on-medium-count=$FAIL_MEDIUM_MALWARE_COUNT -\
+          fail-on-low-count=$FAIL_LOW_MALWARE_COUNT