name: Scan images using trivy on: workflow_dispatch: schedule: - cron: "0 13 * * *" jobs: scan: permissions: contents: read security-events: write # allow github/codeql-action/upload-sarif name: Scan for Security Vulnerabilities runs-on: ubuntu-18.04 steps: - name: Checkout code uses: actions/checkout@v2 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: 'docker.io/library/rockylinux:8' format: 'sarif' output: 'trivy-results.sarif' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH,MEDIUM' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 if: always() with: sarif_file: 'trivy-results.sarif' - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master if: always() with: image-ref: 'docker.io/library/rockylinux:8' format: 'table' output: 'trivy-results' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH,MEDIUM' - name: Save scan results as an artifact uses: actions/upload-artifact@v3 if: always() with: name: 'trivy-results' path: 'trivy-results'