.github/workflows/trivy.yml

name: Code Scanning by Trivy

on:
  push:
    branches:
      - "main"
  pull_request:
  schedule:
    - cron: '0 0 * * 1'
  watch:
    types: [started]

jobs:
  use-build:
    uses: ./.github/workflows/build.yml

  scan-config:
    runs-on: self-hosted
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner in config mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'config'
          scan-ref: '.'
          trivyignores: .trivyignore
          trivy-config: trivy.yaml

  scan-fs:
    runs-on: self-hosted
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner in fs mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          trivyignores: .trivyignore
          trivy-config: trivy.yaml

  scan-image:
    runs-on: self-hosted
    needs: [use-build]
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner in image mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'image'
          image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}'
          trivyignores: .trivyignore
          trivy-config: trivy.yaml
        env:
          TRIVY_USERNAME: ${{ github.repository_owner }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}