Skip to content

Trivy Checks

Trivy Checks #123

Workflow file for this run

name: Trivy Checks
on:
workflow_dispatch:
workflow_call:
schedule:
- cron: '30 22 * * *'
concurrency:
group: trivy-${{ github.ref }}
cancel-in-progress: true
jobs:
trivy:
runs-on: ubuntu-20.04
permissions:
contents: write
security-events: write
steps:
- name: "Checkout repository"
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'MEDIUM,HIGH,CRITICAL'
- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
- name: Generate SBOM
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
image-ref: '.'
github-pat: ${{ secrets.GITHUB_TOKEN }}