SRE-2505 ci: Fix Trivy scan upload to the Security tab

.github/workflows/trivy.yml

@@ -1,7 +1,12 @@
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+# Copyright (c) 2024 Intel Corporation.
+
 name: Trivy scan
 
 on:
   workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * *'
   push:
     branches: ["master", "release/**"]
   pull_request:
@@ -11,15 +16,17 @@ on:
 permissions: {}
 
 jobs:
-  build:
-    name: Build
-    runs-on: ubuntu-20.04
+  scan:
+    name: Scan with Trivy
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
 
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8  # 0.24.0
+      - name: Run Trivy vulnerability scanner in filesystem mode (table format)
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2  # 0.28.0
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -43,8 +50,8 @@ jobs:
             utils/trivy/trivy.yaml
           sed -i 's/format: template/format: sarif/g' utils/trivy/trivy.yaml
 
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8  # 0.24.0
+      - name: Run Trivy vulnerability scanner in filesystem mode (sarif format)
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2  # 0.28.0
         with:
           scan-type: 'fs'
           scan-ref: '.'
@@ -62,8 +69,8 @@ jobs:
           sed -i 's/format: sarif/format: table/g' utils/trivy/trivy.yaml
           sed -i 's/exit-code: 0/exit-code: 1/g' utils/trivy/trivy.yaml
 
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8  # 0.24.0
+      - name: Run Trivy vulnerability scanner in filesystem mode (human readable format)
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2  # 0.28.0
         with:
           scan-type: 'fs'
           scan-ref: '.'

README.md

@@ -5,6 +5,7 @@
 [![Build](https://github.com/daos-stack/daos/actions/workflows/ci2.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/ci2.yml)
 [![Codespell](https://github.com/daos-stack/daos/actions/workflows/spelling.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/spelling.yml)
 [![Doxygen](https://github.com/daos-stack/daos/actions/workflows/doxygen.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/doxygen.yml)
+[![Trivy scan](https://github.com/daos-stack/daos/actions/workflows/trivy.yml/badge.svg)](https://github.com/daos-stack/daos/actions/workflows/trivy.yml)
 
 <a href="https://docs.daos.io/">
 <img src="https://avatars.githubusercontent.com/u/20561043?s=400&u=db7cd0ada987ba59c21c3de5f9e7cffba73c3325&v=4" width="200" height="200">

utils/trivy/trivy.yaml

@@ -1,3 +1,6 @@
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+# Copyright (c) 2024 Intel Corporation.
+
 cache:
   backend: fs
   dir:
@@ -16,7 +19,7 @@ db:
   no-progress: false
   repository: ghcr.io/aquasecurity/trivy-db
   skip-update: false
-debug: false
+debug: true
 dependency-tree: true
 exit-code: 0
 generate-default-config: false