Trivy code scanner #410
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # SPDX-FileCopyrightText: 2024 INFO.nl | |
| # SPDX-License-Identifier: EUPL-1.2+ | |
| # | |
| name: Trivy code scanner | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: "21 11 * * 0" | |
| permissions: | |
| # Required for uploading SARIF reports | |
| security-events: write | |
| jobs: | |
| build: | |
| name: Run Trivy code scanner | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Run Trivy vulnerability scanner in repo mode with Sarif output | |
| # Note that Trivy for Java requires a Gradle lock file. | |
| # We do not use Gradle dependency locking yet because we use Dependabot | |
| # to update our Gradle dependencies and Dependabot does not support Gradle lock | |
| # files yet. See: https://github.com/dependabot/dependabot-core/issues/2222 | |
| uses: aquasecurity/trivy-action@master | |
| # Only run on main branch | |
| if: github.ref == 'refs/heads/main' | |
| with: | |
| scan-type: 'fs' | |
| ignore-unfixed: true | |
| format: 'sarif' | |
| limit-severities-for-sarif: true | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9 | |
| if: github.ref == 'refs/heads/main' | |
| with: | |
| sarif_file: 'trivy-results.sarif' |