add typed Platform enum and LogBlock with JSON/Text codecs; keep lega… #31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Security Scan | |
| on: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| branches: | |
| - master | |
| schedule: | |
| - cron: '0 2 * * *' # Run daily at 2 AM UTC | |
| workflow_dispatch: # Allow manual triggering | |
| jobs: | |
| trivy-scan-repo: | |
| name: Scan Repository (Filesystem) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run Trivy vulnerability scanner in repo mode | |
| uses: aquasecurity/[email protected] | |
| with: | |
| scan-type: 'fs' | |
| ignore-unfixed: true | |
| format: 'table' | |
| exit-code: '1' | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| trivy-scan-dockerhub: | |
| name: Scan Docker Hub Image | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Run Trivy vulnerability scanner (Docker Hub) | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: 'appleboy/gorush:latest' | |
| format: 'sarif' | |
| output: 'trivy-dockerhub-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab (Docker Hub) | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-dockerhub-results.sarif' | |
| - name: Run Trivy vulnerability scanner (Docker Hub Table format) | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: 'appleboy/gorush:latest' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| trivy-scan-ghcr: | |
| name: Scan GHCR Image | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Run Trivy vulnerability scanner (GHCR) | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: 'ghcr.io/appleboy/gorush:latest' | |
| format: 'sarif' | |
| output: 'trivy-ghcr-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab (GHCR) | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-ghcr-results.sarif' | |
| - name: Run Trivy vulnerability scanner (GHCR Table format) | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: 'ghcr.io/appleboy/gorush:latest' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' |