name: Scan images using trivy on: push: workflow_dispatch: schedule: - cron: "0 13 * * *" jobs: scan: permissions: contents: write security-events: write # allow github/codeql-action/upload-sarif name: Scan for Security Vulnerabilities runs-on: ubuntu-18.04 steps: - name: Checkout code uses: actions/checkout@v2 - name: Create public folder run: | mkdir -p public/ - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: 'docker.io/rockylinux/rockylinux:8' format: 'sarif' output: 'public/trivy-results.sarif' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH,MEDIUM' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 if: always() with: sarif_file: 'public/trivy-results.sarif' - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master if: always() continue-on-error: true with: image-ref: 'docker.io/rockylinux/rockylinux:8' format: 'template' template: '@/contrib/html.tpl' output: 'public/index.html' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH,MEDIUM' - name: Save scan results to github pages uses: peaceiris/actions-gh-pages@v3 #if: ${{ github.ref == 'refs/heads/main' }} if: always() with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./public