diff --git a/.github/workflows/analysis.yaml b/.github/workflows/analysis.yaml new file mode 100644 index 0000000..7660857 --- /dev/null +++ b/.github/workflows/analysis.yaml @@ -0,0 +1,38 @@ +name: Analysis + +on: + push: + branches: [main] + pull_request: + types: [opened, reopened, synchronize, ready_for_review, converted_to_draft] + schedule: + - cron: "0 11 * * 0" # 3 AM PST = 12 PM UDT, runs sundays + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + # https://github.com/marketplace/actions/aqua-security-trivy + trivy: + name: Trivy Security Scan + if: ${{ ! github.event.pull_request.draft }} + runs-on: ubuntu-22.04 + timeout-minutes: 1 + steps: + - uses: actions/checkout@v4 + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.22.0 + with: + format: "sarif" + output: "trivy-results.sarif" + ignore-unfixed: true + scan-type: "fs" + scanners: "vuln,secret,config" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "trivy-results.sarif"