scan.yml

name: Scan

on:
  workflow_call:
  workflow_dispatch:
  schedule:
    - cron: "0 6 * * *" # Every day at 8am

jobs:
  vulnerability-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: read
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - name: validate github workflow files to have pinned versions
        uses: digitalservicebund/github-actions-linter@09783a3d4e13424bc0caf1f7145f68bc6138688b # v0.1.14

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
        env:
          TRIVY_USERNAME: ${{ github.actor }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
        with:
          scan-type: "fs"
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH"
          limit-severities-for-sarif: true
          exit-code: 2 # Fail the build!

      # Upload SARIF results to GitHub Security tab
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
        if: always() # Bypass non-zero exit code
        with:
          sarif_file: "trivy-results.sarif"

      - name: Send status to Slack
        uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
        if: ${{ failure() }}
        with:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}