Skip to content

scan

scan #1040

name: scan
on:
schedule:
- cron: "0 8 * * *"
# Declare default permissions as read only.
permissions: read-all
jobs:
scan:
name: Scan
runs-on: ubuntu-22.04
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "ghcr.io/chgl/kube-powertools:latest"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@0225834cc549ee0ca93cb085b92954821a145866 # v2
with:
sarif_file: "trivy-results.sarif"