# Trivy configured to scan for vulnerable dependencies in the project software composition name: Trivy Scan # Events that triggers Trivy to run on: push: branches: [main] pull_request: branches: [main] jobs: build: name: Trivy Vulnerability Scanner runs-on: ubuntu-latest # Skip any PR created by dependabot to avoid permission issues (if used) if: (github.actor != 'dependabot[bot]') steps: # Checking out the repo to scan - name: Checkout code uses: actions/checkout@v2 # Run Trivy with the following args - name: Run Trivy uses: aquasecurity/trivy-action@master with: scan-type: 'fs' # Filesystem mode ignore-unfixed: true # Ignore vulnerabilities with no available fix format: 'template' # Template output mode template: '@/contrib/sarif.tpl' # SARIF template to be compatible with GitHub security tab output: 'trivy-results.sarif' # Output file name severity: 'CRITICAL' # Report error only on critical vulnerabilities. Warn on lower severities exit-code: '1' # Fail the job if a critical vulnerability with fix available is found # Generate the output as SARIF and upload to the security tab - name: Upload Trivy results uses: github/codeql-action/upload-sarif@v1 if: always() # Upload even if the job has failed due to a vulnerability with: sarif_file: 'trivy-results.sarif'