name: scan on: schedule: # Scan the image regularly (once a day) - cron: '45 03 * * *' jobs: build: name: Scan current image & report results runs-on: "ubuntu-20.04" steps: - name: Checkout code uses: actions/checkout@v2 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: 'ghcr.io/wonderfall/synapse' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' vuln-type: "os" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 with: sarif_file: 'trivy-results.sarif'