Trivy Nightly Docker Scan #10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Trivy Nightly Docker Scan | |
on: | |
# Run scans if the workflow is modified, in order to test the | |
# workflow itself. This results in some spurious notifications, | |
# but seems okay for testing. | |
pull_request: | |
branches: | |
- main | |
paths: | |
- .github/workflows/trivy-docker.yaml | |
# Run scans against master whenever changes are merged. | |
push: | |
branches: | |
- main | |
paths: | |
- .github/workflows/trivy-docker.yaml | |
schedule: | |
# Run at 10:15 am UTC (3:15am PT/5:15am CT) | |
# Run at 0 minutes 0 hours of every day. | |
- cron: "15 10 * * *" | |
workflow_dispatch: | |
permissions: | |
actions: none | |
checks: none | |
contents: read | |
deployments: none | |
issues: none | |
packages: none | |
pull-requests: none | |
repository-projects: none | |
security-events: write | |
statuses: none | |
# Cancel in-progress runs for pull requests when developers push | |
# additional changes, and serialize builds in branches. | |
# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
jobs: | |
trivy-scan-image: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Run Trivy vulnerability scanner in image mode | |
uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d | |
with: | |
image-ref: "docker.io/codercom/code-server:latest" | |
ignore-unfixed: true | |
format: "sarif" | |
output: "trivy-image-results.sarif" | |
severity: "HIGH,CRITICAL" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: "trivy-image-results.sarif" |