fleet/.github/workflows/trivy_scan.yml

name: Trivy vulnerability scan
on:
  workflow_dispatch:
  schedule:
  - cron: '0 4 * * *' # Nightly 4AM UTC
jobs:
  build:
    name: Trivy
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL'
          skip-dirs: 'website/,tools/,infrastructure/,test/,orbit/pkg/insecure/'
          trivyignores: '.trivyignore'
          security-checks: 'vuln'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
8241 trivy ignore file action (#8345) * Create .trivyignore Adding original trivy ignore file. Working to resolve/document more of the findings, especially around go.mod. Will add a github action as well. * Adding default trivy scan for testing * Update trivy_scan.yml Making it manual + daily for now * Update trivy_scan.yml updating name * Renamed + configured Trivy scan 2022-10-31 14:50:29 +00:00			`name: Trivy vulnerability scan`
			`on:`
			`workflow_dispatch:`
			`schedule:`
			`- cron: '0 4 * * *' # Nightly 4AM UTC`
			`jobs:`
			`build:`
			`name: Trivy`
			`runs-on: ubuntu-20.04`
			`steps:`
			`- name: Checkout code`
			`uses: actions/checkout@v3`

			`- name: Run Trivy vulnerability scanner in repo mode`
			`uses: aquasecurity/trivy-action@master`
			`with:`
			`scan-type: 'fs'`
			`ignore-unfixed: true`
			`format: 'sarif'`
			`output: 'trivy-results.sarif'`
			`severity: 'CRITICAL'`
			`skip-dirs: 'website/,tools/,infrastructure/,test/,orbit/pkg/insecure/'`
			`trivyignores: '.trivyignore'`
			`security-checks: 'vuln'`

			`- name: Upload Trivy scan results to GitHub Security tab`
			`uses: github/codeql-action/upload-sarif@v2`
			`with:`
			`sarif_file: 'trivy-results.sarif'`