trivy.yaml

name: Trivy

on:
  schedule:
    - cron: '0 10 * * *'

jobs:
  list-branches-to-scan:
    runs-on: ubuntu-latest
    outputs:
      branches: ${{ steps.branches.outputs.branches }}
    steps:
      - name: Checking out repo
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: List branches to scan
        id: branches
        run: |
          # regex matches branches like
          #  origin/1.28
          #  origin/v1.1
          #  origin/release-1.30
          #  origin/main
          BRANCHES=$(git branch -r | grep  -E '^  origin\/(((v|release-)?[0-9]+.[0-9]+)|main)$' | \
            sed -e 's#^  origin/##'  | jq -R -s -c 'split("\n")[:-1]')
          echo "branches=$(echo $BRANCHES)" >> $GITHUB_OUTPUT
  scan:
    runs-on: ubuntu-latest
    needs: list-branches-to-scan
    strategy:
      matrix:
        branch: ${{ fromJson(needs.list-branches-to-scan.outputs.branches) }}
    permissions:
      security-events: write
    steps:
      - name: Checking out repo
        uses: actions/checkout@v4
        with:
          ref: ${{ matrix.branch }}
          fetch-depth: 0
      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@0.28.0
        with:
          scan-type: "fs"
          ignore-unfixed: true
          format: "sarif"
          output: "output.sarif"
          severity: "MEDIUM,HIGH,CRITICAL"
        env:
          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
      - name: Get commit sha
        run: |
          SHA="$(git rev-parse HEAD)"
          echo "head_sha=$SHA" >> "$GITHUB_ENV"
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "output.sarif"
          sha: ${{ env.head_sha }}
          ref: refs/heads/${{ matrix.branch }}