trivy-scan.yml

name: Daily Vulnerability Scan

on:
  schedule:
    - cron: '0 15 * * *'
  workflow_dispatch:
    inputs:
      tag:
        description: 'Image tag'
        required: true
        default: 'master'

jobs:
  scan-image:
    runs-on: ubuntu-latest
    steps:
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.11.2
        with:
          image-ref: "ghcr.io/sksat/kuso-subdomain-adder:${{ github.event.inputs.tag || 'master' }}"
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2.3.6
        with:
          sarif_file: 'trivy-results.sarif'

  scan-image2:
    runs-on: ubuntu-latest
    steps:
      - name: Scan for vulnerabilities
        id: scan
        uses: crazy-max/ghaction-container-scan@v2.1.0
        with:
          image: ghcr.io/sksat/kuso-subdomain-adder:${{ github.event.inputs.tag || 'master' }}
          dockerfile: ./Dockerfile

      - name: Upload SARIF file
        if: ${{ steps.scan.outputs.sarif != '' }}
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

  scan-repo:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@0.11.2
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2.3.6
        with:
          sarif_file: 'trivy-results.sarif'