Skip to content

ci(security): add Trivy filesystem vulnerability scan #1262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MukundaKatta wants to merge 1 commit into
base: main
Choose a base branch
from
+39 −0
Open

ci(security): add Trivy filesystem vulnerability scan #1262

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions .github/workflows/trivy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: Trivy security scan

on:
push:
branches:
- main
pull_request:
workflow_dispatch:

permissions:
contents: read
security-events: write

jobs:
scan:
name: Trivy filesystem scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6

- name: Run Trivy filesystem scan
uses: aquasecurity/trivy-action@0.36.0
with:
scan-type: fs
scan-ref: .
severity: HIGH,CRITICAL
ignore-unfixed: true
format: sarif
output: trivy-results.sarif
exit-code: "1"

# Always upload SARIF so findings show in the Security tab even when
# the previous step fails the job (exit-code: 1 on findings).
- name: Upload Trivy results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v3.35.2
with:
sarif_file: trivy-results.sarif
category: trivy-fs