trivy-scan.yml

name: Trivy Scan
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  trivy-scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: Run Trivy vulnerability scanner (table output)
      uses: aquasecurity/trivy-action@0.28.0
      with:
        scan-type: 'fs'
        scanners: 'vuln'
        format: 'table'
        exit-code: 1
        ignore-unfixed: true
        vuln-type: 'os,library'
        severity: 'CRITICAL,HIGH'
        trivyignores: .trivyignore
    - name: Run Trivy vulnerability scanner (SARIF)
      uses: aquasecurity/trivy-action@0.28.0
      with:
        scan-type: 'fs'
        scanners: 'vuln'
        # Note: The SARIF format ignores severity and uploads all vulns for
        # later triage. The table-format step above is used to fail the build
        # if there are any critical or high vulnerabilities.
        # See https://github.com/aquasecurity/trivy-action/issues/95
        format: 'sarif'
        output: 'trivy-results.sarif'
        ignore-unfixed: true
        vuln-type: 'os,library'
        trivyignores: .trivyignore
      if: always() && github.repository == 'grafana/certmagic-gcs'
    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: 'trivy-results.sarif'
      if: always() && github.repository == 'grafana/certmagic-gcs'