Add Trivy scan workflow for vulnerability scanning

Signed-off-by: litebito <3867999+litebito@users.noreply.github.com>
This commit is contained in:
litebito 2026-04-26 09:48:12 +02:00 committed by GitHub
parent 8147012829
commit 2ec7809bcc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

34
.github/workflows/trivy_scan vendored Normal file
View file

@ -0,0 +1,34 @@
name: Trivy scan
on:
pull_request:
branches:
- main
push:
branches:
- main
schedule:
- cron: '0 0 * * *'
jobs:
scan:
name: scan
runs-on: [self-hosted, linux, x64, repo-airsonic-pulse]
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.33.0
with:
scan-type: 'fs'
format: 'sarif'
ignore-unfixed: true
output: 'trivy-results.sarif'
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'