CVE Scan #964

	name: CVE Scan

	on:
	push:
	branches: ["main"]
	tags: ["**"]
	pull_request:
	types:
	- opened
	- reopened
	- synchronize
	schedule:
	- cron: "14 3 * * 1-5"
	workflow_dispatch:

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	jobs:
	scan:
	runs-on: ubuntu-latest
	timeout-minutes: 10
	steps:
	- name: Checkout repo
	uses: actions/checkout@v4
	with:
	fetch-depth: 1

	- name: Cache requirements
	uses: actions/cache@v4
	env:
	cache-name: cache-requirements
	with:
	path: ~/.cache/pip
	key: ${{ env.cache-name }}-${{ hashFiles('requirements.txt') }}
	restore-keys: \|
	${{ env.cache-name }}-

	- name: Cache environment
	uses: actions/cache@v4
	env:
	cache-name: cache-environment
	with:
	path: ~/.cache/pip
	key: ${{ env.cache-name }}-${{ hashFiles('*.lock') }}
	restore-keys: \|
	${{ env.cache-name }}-

	- name: Setup python
	uses: actions/setup-python@v5
	with:
	python-version: 3.11

	- name: Install requirements
	run: make setup

	- name: Export dependencies
	run: \|
	mkdir --parents pdm
	pdm export-all > pdm/requirements.txt

	- name: Run trivy
	uses: aquasecurity/trivy-action@master
	with:
	format: 'sarif'
	list-all-pkgs: 'true'
	output: 'trivy-results.sarif'
	scan-ref: '.'
	scan-type: 'fs'
	severity: 'MEDIUM,HIGH,CRITICAL'

	- name: Publish results
	uses: github/codeql-action/upload-sarif@v3
	if: always()
	with:
	sarif_file: 'trivy-results.sarif'

Provide feedback