Trivy #366

	name: Trivy

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	schedule:
	- cron: "19 7 * * 0"

	concurrency:
	group: ${{ github.workflow }}-${{ github.head_ref \|\| github.run_id }}
	cancel-in-progress: true

	jobs:
	build:
	strategy:
	matrix:
	target: [aws, gcp, azure]
	platform: [linux/amd64, linux/arm64]
	name: Analyze
	runs-on: ubuntu-latest
	env:
	IMAGE_TAG: spacelift-${{ matrix.target }}:${{ github.sha }}

	steps:
	- name: Checkout code
	uses: actions/checkout@main

	- name: Set up QEMU
	if: matrix.platform == 'linux/arm64'
	uses: docker/setup-qemu-action@v3
	with:
	platforms: linux/arm64

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Bake the image
	uses: docker/bake-action@v4
	with:
	targets: ${{ matrix.target }}
	load: true
	set: \|
	${{ matrix.target }}.tags=${{ env.IMAGE_TAG }}
	${{ matrix.target }}.platform=${{ matrix.platform }}

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/[email protected]
	with:
	image-ref: ${{ env.IMAGE_TAG }}
	format: "sarif"
	output: "trivy-results.sarif"
	severity: "CRITICAL,HIGH"
	timeout: "10m"
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: "trivy-results.sarif"

Provide feedback