From 97688108ba8783ade21dae7fa939c8607d700d4d Mon Sep 17 00:00:00 2001
From: Myst <1592048+LeMyst@users.noreply.github.com>
Date: Wed, 18 Dec 2024 02:49:06 +0100
Subject: [PATCH] Create recurrent-trivy.yaml

---
 .github/workflows/recurrent-trivy.yaml | 42 ++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 .github/workflows/recurrent-trivy.yaml

diff --git a/.github/workflows/recurrent-trivy.yaml b/.github/workflows/recurrent-trivy.yaml
new file mode 100644
index 00000000..fd19adb9
--- /dev/null
+++ b/.github/workflows/recurrent-trivy.yaml
@@ -0,0 +1,42 @@
+name: Trivy scan
+
+on:
+  schedule:
+  - cron: '42 3 * * *'  # Run at 3:42 UTC every day
+  workflow_dispatch:
+
+jobs:
+  trivy:
+    name: recurrent trivy scan
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Get latest release
+      id: get_latest_release
+      run: |
+        latest_release=$(curl --silent "https://api.github.com/repos/${{ github.repository }}/releases/latest" | jq -r '.tag_name')
+        echo "Latest release tag: $latest_release"
+        echo "::set-output name=latest_release::$latest_release"
+
+    - name: Checkout latest release
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ steps.get_latest_release.outputs.latest_release }}
+
+    - name: Run Trivy vulnerability scanner with rootfs command
+      uses: aquasecurity/trivy-action@master
+      env:
+        TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+        TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
+      with:
+        scan-type: 'rootfs'
+        scan-ref: '.'
+        ignore-unfixed: true
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL'
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: 'trivy-results.sarif'