Trivy Nightly Docker Scan #905

	name: Trivy Nightly Docker Scan

	on:
	# Run scans if the workflow is modified, in order to test the
	# workflow itself. This results in some spurious notifications,
	# but seems okay for testing.
	pull_request:
	branches:
	- main
	paths:
	- .github/workflows/trivy-docker.yaml

	# Run scans against master whenever changes are merged.
	push:
	branches:
	- main
	paths:
	- .github/workflows/trivy-docker.yaml

	schedule:
	# Run at 10:15 am UTC (3:15am PT/5:15am CT)
	# Run at 0 minutes 0 hours of every day.
	- cron: "15 10 * * *"

	workflow_dispatch:

	permissions:
	actions: none
	checks: none
	contents: read
	deployments: none
	issues: none
	packages: none
	pull-requests: none
	repository-projects: none
	security-events: write
	statuses: none

	# Cancel in-progress runs for pull requests when developers push
	# additional changes, and serialize builds in branches.
	# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}

	jobs:
	trivy-scan-image:
	runs-on: ubuntu-20.04

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Run Trivy vulnerability scanner in image mode
	uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55
	with:
	image-ref: "docker.io/codercom/code-server:latest"
	ignore-unfixed: true
	format: "sarif"
	output: "trivy-image-results.sarif"
	severity: "HIGH,CRITICAL"

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: "trivy-image-results.sarif"

Provide feedback