name: Trivy Security Scan on: push: branches: - master pull_request: branches: - master schedule: # Run daily at 00:00 UTC - cron: "0 0 * * *" workflow_dispatch: permissions: contents: read security-events: write jobs: trivy-repo-scan: name: Trivy Repository Scan runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v6 - name: Run Trivy vulnerability scanner (repo) uses: aquasecurity/trivy-action@v0.35.0 with: scan-type: "fs" scan-ref: "." format: "sarif" output: "trivy-repo-results.sarif" severity: "CRITICAL,HIGH" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: "trivy-repo-results.sarif" trivy-image-scan: name: Trivy Image Scan runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v6 - name: Setup go uses: actions/setup-go@v6 with: go-version-file: go.mod check-latest: true - name: Build binary run: | make build_linux_amd64 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v4 - name: Build Docker image for scanning uses: docker/build-push-action@v7 with: context: . file: docker/Dockerfile platforms: linux/amd64 push: false load: true tags: drone-scp:scan - name: Run Trivy vulnerability scanner (image) uses: aquasecurity/trivy-action@v0.35.0 with: image-ref: "drone-scp:scan" format: "sarif" output: "trivy-image-results.sarif" severity: "CRITICAL,HIGH" - name: Upload Trivy image scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: "trivy-image-results.sarif" category: "trivy-image"