trivy.yml

name: Trivy Security Scans

on:
  pull_request:
    branches: [ "main" ]


jobs:
  build:
    name: build
    runs-on: ubuntu-20.04
    timeout-minutes: 30
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run static analysis
        uses: aquasecurity/trivy-action@0.26.0
        env:
          #try default GitHub DBs, if failing, use AWS mirror instead (https://github.com/aquasecurity/trivy-action/issues/389)
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
        with:
          scan-type: 'fs'
          security-checks: 'vuln,secret,config'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL'
          github-pat: ${{ secrets.GITHUB_TOKEN }}


      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
          category: 'code'