Merge branch 'main' into next #1786
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 🛡️ Trivy Security Check | |
| on: | |
| pull_request: | |
| workflow_call: | |
| push: | |
| branches: | |
| - main | |
| - next | |
| schedule: | |
| - cron: "0 5 * * *" | |
| jobs: | |
| build: | |
| # Scheduled runs are triggered only from the default branch; scan main and next explicitly. | |
| if: github.event_name != 'schedule' | |
| name: 🛡️ Trivy Security Check | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| steps: | |
| - name: Run Trivy Security check on Repository | |
| uses: it-at-m/lhm_actions/action-templates/actions/action-trivy@877aafa9f0732cbc91819b60d237c351ea88f95c # v1.0.34 | |
| scheduled: | |
| if: github.event_name == 'schedule' | |
| name: 🛡️ Trivy Security Check (${{ matrix.branch }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| branch: [main, next] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| ref: ${{ matrix.branch }} | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Run Trivy vulnerability scanner in repository mode | |
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 | |
| with: | |
| scan-type: fs | |
| scan-ref: . | |
| format: json | |
| exit-code: "1" | |
| timeout: 15m0s | |
| trivyignores: .trivyignore | |
| output: trivy-report.json | |
| - name: Convert Trivy report | |
| if: always() && hashFiles('trivy-report.json') != '' | |
| shell: bash | |
| run: | | |
| trivy convert --format table --output trivy-results.txt trivy-report.json | |
| cat trivy-results.txt | |
| trivy convert --format sarif --output trivy-results.sarif trivy-report.json | |
| - name: Upload vulnerability scan results | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| if: always() | |
| with: | |
| name: trivy-report-${{ matrix.branch }} | |
| path: trivy-report.json | |
| retention-days: 7 | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| if: always() && hashFiles('trivy-results.sarif') != '' | |
| uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| category: trivy-${{ matrix.branch }} |