Skip to content

scan

scan #1487

name: scan
on:
schedule:
- cron: "0 8 * * *"
# Declare default permissions as read only.
permissions: read-all
jobs:
scan:
name: Scan
runs-on: ubuntu-24.04
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
with:
image-ref: "ghcr.io/chgl/kube-powertools:latest"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
with:
sarif_file: "trivy-results.sarif"