.github/workflows/security_scan.yml

name: Trivy Security Scan

on:
  push:
  workflow_dispatch:

jobs:
  security_scan:
    name: security_scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Run static analysis (rootfs)
        uses: aquasecurity/trivy-action@0.26.0
        env:
          #try default GitHub DBs, if failing, use AWS mirror instead (https://github.com/aquasecurity/trivy-action/issues/389)
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
        with:
          scan-type: "rootfs"
          scanners: "vuln,misconfig"
          ignore-unfixed: true
          format: 'table'
          severity: "CRITICAL,HIGH"
      - name: Run static analysis (repo)
        uses: aquasecurity/trivy-action@0.26.0
        env:
          #try default GitHub DBs, if failing, use AWS mirror instead (https://github.com/aquasecurity/trivy-action/issues/389)
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
        with:
          scan-type: "repo"
          scanners: "vuln,misconfig"
          ignore-unfixed: true
          format: 'table'
          severity: "CRITICAL,HIGH"