Skip to content
This repository was archived by the owner on Apr 15, 2026. It is now read-only.
Security Scan

Security Scan #52

Sign in to view logs

Security Scan

Security Scan #52

Workflow file for this run

.github/workflows/security-scan.yml at b3d64f4
name: Security Scan
on:
schedule:
# Run daily at 6:00 AM UTC
- cron: '0 6 * * *'
workflow_dispatch:
env:
REGISTRY: ghcr.io
jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
security-events: write
strategy:
fail-fast: false
matrix:
variant: [base]
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Set image name
id: image
run: echo "name=${GITHUB_REPOSITORY_OWNER,,}/headjack" >> $GITHUB_OUTPUT
- name: Log in to Container Registry
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Scan ${{ matrix.variant }} image with Trivy
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
with:
image-ref: ${{ env.REGISTRY }}/${{ steps.image.outputs.name }}:${{ matrix.variant }}
format: table
ignore-unfixed: true
severity: CRITICAL,HIGH
exit-code: 1
trivyignores: images/${{ matrix.variant }}/.trivyignore
- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
with:
image-ref: ${{ env.REGISTRY }}/${{ steps.image.outputs.name }}:${{ matrix.variant }}
format: sarif
output: trivy-results-${{ matrix.variant }}.sarif
ignore-unfixed: true
severity: CRITICAL,HIGH,MEDIUM
trivyignores: images/${{ matrix.variant }}/.trivyignore
- name: Upload SARIF file
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results-${{ matrix.variant }}.sarif
category: trivy-${{ matrix.variant }}