trivy.yml

name: trivy
permissions: read-all
on: [ push, pull_request ]

jobs:
  trivy:
    runs-on: ubuntu-20.04
    permissions:
      checks: write
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            ghcr.io:443
            github.com:443
            pkg-containers.githubusercontent.com:443
      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
        with:
          scan-type: fs
          format: sarif
          output: trivy-results.sarif
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
        with:
            sarif_file: trivy-results.sarif