diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml new file mode 100644 index 0000000..ae8150c --- /dev/null +++ b/.github/workflows/scan.yml @@ -0,0 +1,29 @@ +name: scan + +on: + schedule: + # Scan the image regularly (once a day) + - cron: '45 03 * * *' + +jobs: + build: + name: Scan current image & report results + runs-on: "ubuntu-20.04" + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'ghcr.io/wonderfall/synapse' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + vuln-type: "os" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file