Skip to content

Security scan

Security scan #4

Workflow file for this run

name: Security scan
on:
schedule:
- cron: 0 2 * * 1-5
release:
types:
- published
workflow_dispatch:
jobs:
trivy:
runs-on: ubuntu-latest
permissions:
security-events: write # upload sarif results
steps:
- name: Prepare
id: prep
env:
PUBLISHED_TAG: ${{ github.event.release.tag_name }}
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
run: |
if [ -n "$PUBLISHED_TAG" ]; then
gitTag="$PUBLISHED_TAG"
else
# Get the tag name from the latest GitHub release
gitTag="$(gh api repos/{owner}/{repo}/releases/latest --jq .tag_name)"
fi
# Determine OCI image tag
imageTag="${gitTag//+/-}"
imageTag="${imageTag#v}"
{
echo git-tag="$gitTag"
echo image-tag="$imageTag"
} >>"$GITHUB_OUTPUT"
# The checkout is solely required for the upload-sarif action. It needs to
# know the ref and sha. Providing those manually won't work, for unknown
# reasons.
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ format('refs/tags/{0}', steps.prep.outputs.git-tag) }}
persist-credentials: false
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: ${{ format('quay.io/{0}:{1}', github.repository, steps.prep.outputs.image-tag) }}
format: sarif
output: trivy-results.sarif
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif