security.yml

name: security
on:
  workflow_dispatch:
  schedule:
    - cron: "0 21 * * FRI"
permissions:
  contents: read
  security-events: write
jobs:
  trivy:
    runs-on: ubuntu-latest
    steps:
      - name: Get tag for latest release
        id: get_latest_release
        run: |
          latest_release_tag="$(gh api repos/${GH_REPO}/releases/latest --jq '.tag_name')"
          if [[ -n $latest_release_tag ]]; then
              echo "::debug::Tag for latest release is - $latest_release_tag"
              echo "TAG_NAME=$latest_release_tag" >> "$GITHUB_OUTPUT"
          else
              echo "::error::Failed to get tag for latest release($latest_release_tag)"
              exit 1
          fi
        env:
          GH_REPO: ${{ github.repository }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Checkout latest tag
        uses: actions/checkout@v4
        with:
          ref: ${{ steps.get_latest_release.outputs.TAG_NAME }}

      - uses: actions/cache@v3
        with:
          path: .trivy
          key: ${{ runner.os }}-trivy-${{ github.run_id }}
          restore-keys: |
            ${{ runner.os }}-trivy-

      - name: Run Trivy vulnerability scanner
        id: trivy
        uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f
        with:
          scan-type: 'image'
          vuln-type: os
          severity: HIGH,CRITICAL
          ignore-unfixed: true
          image-ref: 'ghcr.io/tprasadtp/protonwire:latest'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        if: github.ref == 'refs/heads/master' && always()
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'