From 53f5c5cedfd3f9032989483701c0a25764f2d4e3 Mon Sep 17 00:00:00 2001 From: appleboy Date: Sat, 8 Nov 2025 10:25:32 +0800 Subject: [PATCH] ci: add automated Trivy security scanning via GitHub Actions - Add a GitHub Action workflow to perform Trivy security scans on the repository - Configure scheduled, push, and pull request triggers for the scan - Upload vulnerability scan results to the GitHub Security tab in SARIF format - Include additional scan step with table output and failure on detected vulnerabilities Signed-off-by: appleboy --- .github/workflows/trivy-scan.yml | 51 ++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/trivy-scan.yml diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml new file mode 100644 index 0000000..0af4890 --- /dev/null +++ b/.github/workflows/trivy-scan.yml @@ -0,0 +1,51 @@ +name: Trivy Security Scan + +on: + schedule: + - cron: '0 0 * * *' + pull_request: + branches: + - master + push: + branches: + - master + workflow_dispatch: + +jobs: + trivy-scan: + name: Trivy Security Scan + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + actions: read + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'fs' + scan-ref: '.' + scanners: 'vuln,secret,misconfig' + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + + - name: Upload Trivy results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' + + - name: Run Trivy vulnerability scanner (table format) + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'fs' + scan-ref: '.' + scanners: 'vuln,secret,misconfig' + format: 'table' + severity: 'CRITICAL,HIGH,MEDIUM' + exit-code: '1'