Trivy Security Scan #18

Workflow file for this run

	name: Trivy Security Scan

	on:
	push:
	branches:
	- master
	pull_request:
	branches:
	- master
	schedule:
	# Run daily at 00:00 UTC
	- cron: "0 0 * * *"
	workflow_dispatch:

	permissions:
	contents: read
	security-events: write

	jobs:
	trivy-repo-scan:
	name: Trivy Repository Scan
	runs-on: ubuntu-latest
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Run Trivy vulnerability scanner (repo)
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: "fs"
	scan-ref: "."
	format: "sarif"
	output: "trivy-repo-results.sarif"
	severity: "CRITICAL,HIGH"

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: always()
	with:
	sarif_file: "trivy-repo-results.sarif"

	trivy-image-scan:
	name: Trivy Image Scan
	runs-on: ubuntu-latest
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Setup go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	check-latest: true

	- name: Build binary
	run: \|
	make build_linux_amd64

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Build Docker image for scanning
	uses: docker/build-push-action@v6
	with:
	context: .
	file: docker/Dockerfile
	platforms: linux/amd64
	push: false
	load: true
	tags: drone-ssh:scan

	- name: Run Trivy vulnerability scanner (image)
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: "drone-ssh:scan"
	format: "sarif"
	output: "trivy-image-results.sarif"
	severity: "CRITICAL,HIGH"

	- name: Upload Trivy image scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: always()
	with:
	sarif_file: "trivy-image-results.sarif"
	category: "trivy-image"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Trivy Security Scan #18

Workflow file

Trivy Security Scan #18

Uh oh!

Jobs

Run details

Workflow file for this run