docker-base/.github/workflows/scheduled-trivy.yml at 36c11ed7d6b81c98409037cc982bfcf60c4741f5 · appwrite/docker-base · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
name: Scheduled Trivy Scan

on:
  push:
    branches: [ "main" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "main" ]
  schedule:
    - cron: '43 11 * * 6'

permissions:
  contents: read # for actions/checkout to fetch code
  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

env:
  IMAGE_NAME: appwrite/base
  REGISTRY: docker.io

jobs:
  scheduled_trivy:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v6.0.2

      - name: Build an image from Dockerfile
        run: |
          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} .

      - name: Run Trivy vulnerability scanner (sarif report)
        uses: aquasecurity/trivy-action@0.35.0
        with:
          format: 'sarif'
          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}'
          output: 'trivy-image-results.sarif'
          severity: 'CRITICAL,HIGH'

      # https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml
      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: '.'