From f3ace6f519d5057b50ce967595730456ec06d8c2 Mon Sep 17 00:00:00 2001
From: Bo-Yi Wu <appleboy.tw@gmail.com>
Date: Thu, 16 Apr 2026 18:10:12 +0800
Subject: [PATCH] ci: add Trivy security scanning for source code and Docker
 image

- Add independent trivy.yml workflow with repo scan and image scan jobs
- Add Trivy image scan step in docker.yml before pushing Docker image
- Add security-events permission for SARIF upload
- Add Trivy Security Scan badge to README
---
 .github/workflows/docker.yml | 30 +++++++++++++
 .github/workflows/trivy.yml  | 85 ++++++++++++++++++++++++++++++++++++
 README.md                    |  1 +
 3 files changed, 116 insertions(+)
 create mode 100644 .github/workflows/trivy.yml

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 18cefdb..88e116d 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -10,6 +10,11 @@ on:
     branches:
       - "master"
 
+permissions:
+  contents: read
+  packages: write
+  security-events: write
+
 jobs:
   build-docker:
     runs-on: ubuntu-latest
@@ -60,6 +65,31 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
 
+      - name: Build image for scanning
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          file: docker/Dockerfile
+          platforms: linux/amd64
+          push: false
+          load: true
+          tags: drone-telegram:scan
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: "drone-telegram:scan"
+          format: "sarif"
+          output: "trivy-image-results.sarif"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: "trivy-image-results.sarif"
+          category: "trivy-docker-image"
+
       - name: Build and push
         uses: docker/build-push-action@v7
         with:
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
new file mode 100644
index 0000000..f7265d9
--- /dev/null
+++ b/.github/workflows/trivy.yml
@@ -0,0 +1,85 @@
+name: Trivy Security Scan
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  schedule:
+    # Run daily at 00:00 UTC
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  trivy-repo-scan:
+    name: Trivy Repository Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Run Trivy vulnerability scanner (repo)
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+          format: "sarif"
+          output: "trivy-repo-results.sarif"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: "trivy-repo-results.sarif"
+
+  trivy-image-scan:
+    name: Trivy Image Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Setup go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+
+      - name: Build binary
+        run: |
+          make build_linux_amd64
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Build Docker image for scanning
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          file: docker/Dockerfile
+          platforms: linux/amd64
+          push: false
+          load: true
+          tags: drone-telegram:scan
+
+      - name: Run Trivy vulnerability scanner (image)
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: "drone-telegram:scan"
+          format: "sarif"
+          output: "trivy-image-results.sarif"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy image scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: "trivy-image-results.sarif"
+          category: "trivy-image"
diff --git a/README.md b/README.md
index a1a7bbf..083e326 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,7 @@
 ![logo](./images/logo.png)
 
 [![GoDoc](https://godoc.org/github.com/appleboy/drone-telegram?status.svg)](https://godoc.org/github.com/appleboy/drone-telegram)
+[![Trivy Security Scan](https://github.com/appleboy/drone-telegram/actions/workflows/trivy.yml/badge.svg?branch=master)](https://github.com/appleboy/drone-telegram/actions/workflows/trivy.yml)
 [![codecov](https://codecov.io/gh/appleboy/drone-telegram/branch/master/graph/badge.svg)](https://codecov.io/gh/appleboy/drone-telegram)
 [![Go Report Card](https://goreportcard.com/badge/github.com/appleboy/drone-telegram)](https://goreportcard.com/report/github.com/appleboy/drone-telegram)