From 06aa0a12596d74c866dd5ad9f783bef08bcc2531 Mon Sep 17 00:00:00 2001
From: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
Date: Tue, 17 Feb 2026 09:54:28 +0100
Subject: [PATCH 1/2] chore: add trivy as a second security scanner

Closes #393

Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>
---
 .github/actions/security-scans/action.yml | 25 +++++++++++++++++++++++
 .github/workflows/bake_targets.yml        |  6 +++---
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/.github/actions/security-scans/action.yml b/.github/actions/security-scans/action.yml
index cbbe1078..0181e0bb 100644
--- a/.github/actions/security-scans/action.yml
+++ b/.github/actions/security-scans/action.yml
@@ -62,3 +62,28 @@ runs:
       if: ${{ steps.snyk.outcome == 'success' }}
       with:
         sarif_file: snyk.sarif
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@0.33.1
+      id: trivy
+      continue-on-error: true
+      with:
+        version: 'latest'
+        image-ref: '${{ inputs.image }}'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v4
+      if: ${{ steps.trivy.outcome == 'success' }}
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+    - name: Review Security checks
+      if: |
+        steps.snyk.outcome != 'success' &&
+        steps.trivy.outcome != 'success'
+      shell: bash
+      run: |
+        echo "Snyk or Trivy check failed"
+        exit 1
diff --git a/.github/workflows/bake_targets.yml b/.github/workflows/bake_targets.yml
index 84d44e08..c6ba6673 100644
--- a/.github/workflows/bake_targets.yml
+++ b/.github/workflows/bake_targets.yml
@@ -39,7 +39,7 @@ jobs:
   testbuild:
     # Start by building images for testing. We want to run security checks before pushing those to production.
     name: PostgreSQL ${{ inputs.postgresql_version }}
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest-16-cores
     permissions:
       contents: read
       packages: write
@@ -130,7 +130,7 @@ jobs:
 
   security:
     name: Security checks
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-4-cores
     permissions:
       contents: read
       packages: read
@@ -145,7 +145,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Security checks
-        uses: cloudnative-pg/postgres-containers/.github/actions/security-scans@main
+        uses: ./.github/actions/security-scans/
         with:
           image: "${{ matrix.image }}"
           registry_user: ${{ github.actor }}

From 0d43bc550b67000f7f1c7bb93b48354d0a935894 Mon Sep 17 00:00:00 2001
From: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Date: Thu, 19 Feb 2026 12:54:56 +1100
Subject: [PATCH 2/2] Apply suggestions from code review

Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
---
 .github/actions/security-scans/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/actions/security-scans/action.yml b/.github/actions/security-scans/action.yml
index 0181e0bb..74b7e1f1 100644
--- a/.github/actions/security-scans/action.yml
+++ b/.github/actions/security-scans/action.yml
@@ -85,5 +85,5 @@ runs:
         steps.trivy.outcome != 'success'
       shell: bash
       run: |
-        echo "Snyk or Trivy check failed"
+        echo "None of the security checks succeeded (Snyk and Trivy)"
         exit 1