diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml new file mode 100644 index 0000000..a1b119b --- /dev/null +++ b/.github/workflows/scan.yml @@ -0,0 +1,26 @@ +name: build + +on: + schedule: + # Scan the image regularly (once a day) + - cron: '13 02 * * *' + +jobs: + build: + name: Scan current image & report results + runs-on: "ubuntu-20.04" + steps: + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'ghcr.io/wonderfall/mastodon' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + vuln-type: "os" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: 'trivy-results.sarif'