.github/workflows/trivy-scan.yaml

name: Trivy Scan

on:
  # Run weekly
  schedule:
  - cron: '0 12 * * 1'
  # Allow manual runs
  workflow_dispatch:

permissions:
  contents: read

jobs:
  trivy-scan:
    strategy:
      matrix:
        branch:
        - main
        - release-1.29
        - release-1.28
        - release-1.27
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          persist-credentials: false
          ref: ${{ matrix.branch }}
      - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
        with:
          scanners: vuln
          scan-type: 'fs'
          format: 'sarif'
          output: 'trivy-results.sarif'
          ignore-unfixed: true
          severity: 'HIGH,CRITICAL'
      - uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # v3.25.13
        with:
          sarif_file: 'trivy-results.sarif'