Scan

Scan #446

	name: Scan

	on:
	schedule:
	- cron: "0 6 * * *" # Every day at 8am
	# Allow to run this workflow manually
	workflow_dispatch:

	jobs:
	vulnerability-scan:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: read
	security-events: write
	steps:
	- uses: actions/checkout@v4
	- name: Run Trivy vulnerability scanner
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f
	env:
	TRIVY_USERNAME: ${{ github.actor }}
	TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
	with:
	scan-type: "fs"
	skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
	format: "sarif"
	output: "trivy-results.sarif"
	severity: "CRITICAL,HIGH"
	exit-code: "1" # Fail the build!
	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v2
	if: always() # Bypass non-zero exit code..
	with:
	sarif_file: "trivy-results.sarif"
	- name: Send status to Slack
	# Third-party action, pin to commit SHA!
	# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
	uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65 # == v3.0.0
	if: ${{ failure() && env.SLACK_WEBHOOK_URL }}
	env:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
	with:
	type: ${{ job.status }}
	job_name: "Vulnerability scan :point_right:"
	mention: "here"
	mention_if: "failure"
	commit: true
	url: ${{ secrets.SLACK_WEBHOOK_URL }}
	token: ${{ secrets.GITHUB_TOKEN }}

Provide feedback