Skip to content

Security Scan

Security Scan #62

Workflow file for this run

name: Security Scan
on:
workflow_run:
workflows: [Docker]
types: [completed]
pull_request:
branches: [master]
schedule:
- cron: '0 8 * * 1' # weekly, Monday 08:00 UTC
jobs:
image-scan:
name: Image scan
runs-on: ubuntu-latest
if: >
github.event_name == 'schedule' ||
(github.event_name == 'workflow_run' &&
github.event.workflow_run.conclusion == 'success')
permissions:
contents: read
security-events: write
packages: read
steps:
- name: Log in to GHCR
uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set lowercase owner
run: echo "OWNER_LC=${GITHUB_REPOSITORY_OWNER,,}" >> "$GITHUB_ENV"
- name: Run Trivy image scan
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
image-ref: ghcr.io/${{ env.OWNER_LC }}/gitporter:latest
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
ignore-unfixed: true
- name: Upload SARIF to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles('trivy-results.sarif') != ''
with:
sarif_file: trivy-results.sarif
fs-scan:
name: Filesystem scan
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Run Trivy filesystem scan
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
scan-type: fs
scan-ref: .
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
ignore-unfixed: true
- name: Upload SARIF to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles('trivy-results.sarif') != ''
with:
sarif_file: trivy-results.sarif