diff --git a/.github/workflows/trivy-vuln.yml b/.github/workflows/trivy-vuln.yml new file mode 100644 index 0000000..90e263c --- /dev/null +++ b/.github/workflows/trivy-vuln.yml @@ -0,0 +1,67 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Trivy Vulnerability Scan +on: + branch_protection_rule: + schedule: + - cron: 40 8 * * 5 + pull_request: + branches: + - main + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: read-all + +jobs: + analysis: + name: Perform analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + + - name: Checkout code + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + persist-credentials: false + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.18.0 + with: + scan-type: fs + format: sarif + output: results.sarif + trivy-config: trivy-vuln.yaml + github-pat: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload artifact + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: results.sarif