Files
code-server/.github/workflows/trivy-docker.yaml
dependabot[bot] 73c6bf6475 chore: bump actions/checkout from 6.0.3 to 7.0.0
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.3 to 7.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](df4cb1c069...9c091bb21b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-01 11:03:52 +00:00

64 lines
1.7 KiB
YAML

name: Trivy Nightly Docker Scan
on:
# Run scans if the workflow is modified, in order to test the
# workflow itself. This results in some spurious notifications,
# but seems okay for testing.
pull_request:
branches:
- main
paths:
- .github/workflows/trivy-docker.yaml
# Run scans against master whenever changes are merged.
push:
branches:
- main
paths:
- .github/workflows/trivy-docker.yaml
schedule:
- cron: "15 10 * * *"
workflow_dispatch:
permissions:
actions: none
checks: none
contents: read
deployments: none
issues: none
packages: none
pull-requests: none
repository-projects: none
security-events: write
statuses: none
# Cancel in-progress runs for pull requests when developers push
# additional changes, and serialize builds in branches.
# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
jobs:
trivy-scan-image:
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Run Trivy vulnerability scanner in image mode
uses: aquasecurity/trivy-action@314ff8b43182423b84c50b1670b0e10f858f2d98 # latest
with:
image-ref: "docker.io/codercom/code-server:latest"
ignore-unfixed: true
format: "sarif"
output: "trivy-image-results.sarif"
severity: "HIGH,CRITICAL"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
with:
sarif_file: "trivy-image-results.sarif"