Skip to content

scan

scan #1502

name: scan
on:
schedule:
- cron: "0 8 * * *"
# Declare default permissions as read only.
permissions: read-all
jobs:
scan:
name: Scan
runs-on: ubuntu-24.04
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
with:
image-ref: "ghcr.io/chgl/kube-powertools:latest"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
with:
sarif_file: "trivy-results.sarif"