name: Trivy Security Scan on: push: branches: [main] pull_request: branches: [main] schedule: - cron: '0 6 * * 1' workflow_dispatch: permissions: contents: read security-events: write jobs: scan-image: runs-on: ubuntu-latest strategy: matrix: image: - name: bentopdf file: Dockerfile - name: bentopdf-nonroot file: Dockerfile.nonroot steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build image for scanning uses: docker/build-push-action@v6 with: context: . file: ${{ matrix.image.file }} push: false load: true tags: ${{ matrix.image.name }}:scan no-cache: true - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: ${{ matrix.image.name }}:scan format: sarif output: trivy-${{ matrix.image.name }}.sarif severity: CRITICAL,HIGH exit-code: '1' - name: Upload Trivy results to GitHub Security uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: trivy-${{ matrix.image.name }}.sarif category: trivy-${{ matrix.image.name }} scan-dependencies: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Scan npm dependencies with Trivy uses: aquasecurity/trivy-action@master with: scan-type: fs scan-ref: . format: sarif output: trivy-deps.sarif severity: CRITICAL,HIGH scanners: vuln - name: Upload dependency scan results uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: trivy-deps.sarif category: trivy-dependencies scan-config: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Scan Dockerfiles for misconfigurations uses: aquasecurity/trivy-action@master with: scan-type: config scan-ref: . format: sarif output: trivy-config.sarif severity: CRITICAL,HIGH - name: Upload config scan results uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: trivy-config.sarif category: trivy-config