name: Trivy Nightly Docker Scan on: # Run scans if the workflow is modified, in order to test the # workflow itself. This results in some spurious notifications, # but seems okay for testing. pull_request: branches: - main paths: - .github/workflows/trivy-docker.yaml # Run scans against master whenever changes are merged. push: branches: - main paths: - .github/workflows/trivy-docker.yaml schedule: # Run at 10:15 am UTC (3:15am PT/5:15am CT) # Run at 0 minutes 0 hours of every day. - cron: "15 10 * * *" workflow_dispatch: permissions: actions: none checks: none contents: read deployments: none issues: none packages: none pull-requests: none repository-projects: none security-events: write statuses: none # Cancel in-progress runs for pull requests when developers push # additional changes, and serialize builds in branches. # https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run concurrency: group: ${{ github.workflow }}-${{ github.ref }} jobs: trivy-scan-image: runs-on: ubuntu-20.04 steps: - name: Checkout code uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner in image mode uses: aquasecurity/trivy-action@0105373003c89c494a3f436bd5efc57f3ac1ca20 with: image-ref: "docker.io/codercom/code-server:latest" ignore-unfixed: true format: "sarif" output: "trivy-image-results.sarif" severity: "HIGH,CRITICAL" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: sarif_file: "trivy-image-results.sarif"