.github/workflows/trivy-scan.yaml

name: Trivy Scan

on:
  # Run weekly
  schedule:
  - cron: '0 12 * * 1'
  # Allow manual runs
  workflow_dispatch:

permissions:
  contents: read

jobs:
  trivy-scan:
    strategy:
      matrix:
        branch:
        - main
        - release-1.28
        - release-1.27
        - release-1.26
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
        with:
          persist-credentials: false
          ref: ${{ matrix.branch }}
      - uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0
        with:
          scanners: vuln
          scan-type: 'fs'
          format: 'sarif'
          output: 'trivy-results.sarif'
          ignore-unfixed: true
          severity: 'HIGH,CRITICAL'
      - uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
        with:
          sarif_file: 'trivy-results.sarif'