inga/.github/workflows/trivy.yml at c4b6a7498729c9ada149d3a0bea2984be514e2f0 · seachicken/inga · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
name: Scan Docker images

on:
  schedule:
    - cron: '22 15 * * *'

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.actor }}/inga

jobs:
  build-and-scan-image:

    runs-on: ubuntu-latest
    strategy:
      matrix:
        target: [typescript, java]

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
        with:
          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-${{ matrix.target }}'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'