.github/workflows/trivy.yml

# Workflow managed by https://github.com/AnchorFree/workflows/
name: Trivy scan

on:
  push:
    branches: [ "master" ]
  pull_request:
    types: [opened, reopened, synchronize]
  schedule:
    # 00:00 every 14 days 
    - cron: 0 0 */14 * *

permissions:
  contents: read

jobs:
  trivy-repo-scan:
    permissions:
      contents: read
      security-events: write
      actions: read
    name: Trivy repo scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          lfs: true
          submodules: recursive

      - name: Checkout LFS objects
        run: git lfs checkout

      - name: Run Trivy vulnerability scanner in repo mode (table)
        uses: aquasecurity/trivy-action@0.23.0
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'table'

      - name: Run Trivy vulnerability scanner in repo mode (sarif)
        uses: aquasecurity/trivy-action@0.23.0
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

  trivy-image-scan:
    permissions:
      contents: read
      security-events: write
      actions: read
    name: Trivy image scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          lfs: true
          submodules: recursive

      - name: Checkout LFS objects
        run: git lfs checkout

      - name: Build an image from Dockerfile
        run: |
          docker build -t ${{ github.sha }} .
      - name: Run Trivy vulnerability scanner in image mode (table output)
        uses: aquasecurity/trivy-action@0.23.0
        with:
          image-ref: '${{ github.sha }}'
          ignore-unfixed: true
          format: 'table'

      - name: Run Trivy vulnerability scanner in image mode (sarif output)
        uses: aquasecurity/trivy-action@0.23.0
        with:
          image-ref: '${{ github.sha }}'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'