security-scan.yml

name: Security Scan for Docker Images

on:
  schedule:
    - cron: '0 0 * * 1'
  workflow_dispatch:

permissions:
  contents: read
  security-events: write

jobs:
  security-scan:
    if: github.repository == 'SignalK/signalk-server'
    name: Security Scan
    runs-on: ubuntu-24.04
    strategy:
      fail-fast: false
      matrix:
        os: [24.04, alpine]
        node: [24.x]
        include:
          - os: 24.04
            node: 24.x
            image-tag: 'latest'
          - os: alpine
            node: 24.x
            image-tag: 'latest-alpine'
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
      - name: Run Trivy vulnerability scanner for Docker Image
        uses: aquasecurity/trivy-action@0.35.0
        with:
          image-ref: 'ghcr.io/signalk/signalk-server:${{ matrix.image-tag }}'
          format: 'sarif'
          output: 'trivy-results-docker-node${{ matrix.node }}-${{ matrix.image-tag }}.sarif'
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        if: always()
        with:
          sarif_file: 'trivy-results-docker-node${{ matrix.node }}-${{ matrix.image-tag }}.sarif'
          category: 'trivy-docker-node${{ matrix.node }}-${{ matrix.image-tag }}'