From b62726773e41bb5bd7af74eb3d91a0d0d6920229 Mon Sep 17 00:00:00 2001
From: Andrei Tarassov <andrei.tarassov@thetradedesk.com>
Date: Fri, 24 Nov 2023 14:16:13 +1100
Subject: [PATCH] Add trivy scanner

---
 .github/workflows/build-and-test.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index e87a5d8..70340f6 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -33,3 +33,29 @@ jobs:
           cd build
           make package
           make test
+
+      - name: Generate Trivy vulnerability scan report
+        uses: aquasecurity/trivy-action@0.14.0
+        with:
+          scan-type: 'fs'
+          format: 'sarif'
+          exit-code: '0'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+          output: 'trivy-results.sarif'
+          hide-progress: true
+
+      - name: Upload Trivy scan report to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Test with Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.14.0
+        with:
+          scan-type: 'fs'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'CRITICAL'
+          hide-progress: true