name: Trivy permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true on: push: branches: - main tags: - '*' pull_request: branches: - main schedule: - cron: '08 11 * * *' jobs: trivy-scan: # Only run this in the upstream repo and not on forks # When all forks run this at the same time, it is causing `Too Many Requests` issues if: ${{ github.repository == 'dani-garcia/vaultwarden' }} name: Trivy Scan permissions: security-events: write # To write the security report runs-on: ubuntu-24.04 timeout-minutes: 30 steps: - name: Checkout code uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 with: scan-type: repo ignore-unfixed: true format: sarif output: trivy-results.sarif severity: CRITICAL,HIGH - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0 with: sarif_file: 'trivy-results.sarif'