security #188

	name: security
	on:
	workflow_dispatch:
	inputs:
	IMAGE_TAG:
	description: Tag of the image to scan
	required: false
	default: "latest"
	type: string
	schedule:
	- cron: "0 21 * * FRI"
	jobs:
	scan:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Run Trivy vulnerability scanner
	id: trivy
	continue-on-error: true
	run: \|
	mkdir -p build/trivy/cache
	mkdir -p build/trivy/output
	docker run --rm \
	--mount "type=bind,src=$(pwd)/build/trivy/cache,dst=/root/.cache" \
	--mount "type=bind,src=$(pwd)/build/trivy/output,dst=/trivy/output" \
	ghcr.io/aquasecurity/trivy:latest \
	image \
	--vuln-type="os" \
	--severity="MEDIUM,HIGH,CRITICAL" \
	--ignore-unfixed \
	--exit-code=5 \
	--format=sarif \
	--output=/trivy/output/trivy.sarif \
	ghcr.io/tprasadtp/protonwire:${IMAGE_TAG:-latest}
	env:
	IMAGE_TAG: ${{ inputs.IMAGE_TAG }}

	- name: Upload Trivy scan results to GitHub Security
	if: github.ref == 'refs/heads/master'
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: 'build/trivy/output/trivy.sarif'

Provide feedback