name: Trivy vulnerability scan on: workflow_dispatch: schedule: - cron: '0 4 * * *' # Nightly 4AM UTC jobs: build: name: Trivy runs-on: ubuntu-20.04 steps: - name: Checkout code uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@8bd2f9fbda2109502356ff8a6a89da55b1ead252 # master with: scan-type: 'fs' ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL' skip-dirs: 'website/,tools/,infrastructure/,test/,orbit/pkg/insecure/' trivyignores: '.trivyignore' security-checks: 'vuln' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 with: sarif_file: 'trivy-results.sarif'