trivy.yml

name: trivy

on:
  push:
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      actions: read
      contents: read

    steps:
      - name: Checkout upstream repo
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: ${{ github.head_ref }}
      - id: scan
        name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@f3d98514b056d8c71a3552e8328c225bc7f6f353 # master
        with:
          scan-type: "fs"
          ignore-unfixed: true
          format: "sarif"
          output: "trivy-results.sarif"
          exit-code: 1
        env:
          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db

      - name: Upload Trivy scan results to GitHub Security tab
        if: failure() && steps.scan.outcome == 'failure'
        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
        with:
          sarif_file: "trivy-results.sarif"