Merge pull request #7 from kalvinparker/chore/consolidate-workflows

chore(ci): consolidate Trivy workflows into ci.yml
2 months ago · 3feee4758b
2 changed files with 14 additions and 59 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -1,26 +1,32 @@
-name: Automated Security Gates
+name: Consolidated CI - Repo Trivy Scan

 on:
  push:
    branches: [ main, master ]
  pull_request:
    branches: [ main, master ]
+  schedule:
+    - cron: '0 4 * * *'
+
+permissions:
+  contents: read
+  security-events: write

 jobs:
-  build-and-scan:
+  trivy-scan:
    runs-on: ubuntu-latest
    steps:
-      - name: Checkout Code
+      - name: Checkout code
        uses: actions/checkout@v4

-      - name: Automated Vulnerability Scan (Trivy)
+      - name: Run Trivy vulnerability scanner (repo)
        uses: aquasecurity/trivy-action@0.33.1
        with:
-          scan-type: 'fs'
+          scan-type: repo
          ignore-unfixed: true
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          exit-code: '1'
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH

      - name: Upload SARIF results to GitHub Code Scanning
        uses: github/code-scanning-action/upload-sarif@v2
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@ -1,51 +0,0 @@
-name: Trivy
-permissions: {}
-
-on:
-  push:
-    branches:
-      - main
-
-    tags:
-      - '*'
-
-  pull_request:
-    branches:
-      - main
-
-  schedule:
-    - cron: '08 11 * * *'
-
-jobs:
-  trivy-scan:
-    # Only run this in the upstream repo and not on forks
-    # When all forks run this at the same time, it is causing `Too Many Requests` issues
-    if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
-    name: Trivy Scan
-    permissions:
-      security-events: write # To write the security report
-    runs-on: ubuntu-24.04
-    timeout-minutes: 30
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
-        with:
-          persist-credentials: false
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
-        env:
-          TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
-          TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
-        with:
-          scan-type: repo
-          ignore-unfixed: true
-          format: sarif
-          output: trivy-results.sarif
-          severity: CRITICAL,HIGH
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
-        with:
-          sarif_file: 'trivy-results.sarif'