SEC :: Trivy container scan #4

	name: 'SEC :: Trivy container scan'

	on:
	workflow_dispatch:
	push:
	# will work on pushes to the main branch that also
	# modify the Dockerfile or docker-compose.yml
	branches:
	- main
	paths:
	- Dockerfile
	- docker-compose.yml

	jobs:
	trivy-scan:
	runs-on: ubuntu-24.04
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	- name: Build an image from Dockerfile
	run: docker build -t fsharp-api:latest .

	- name: Run Trivy vulnerability scanner - sarif
	id: trivy-scan-sarif
	continue-on-error: true
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: fsharp-api:latest
	format: 'sarif'
	output: 'trivy-results.sarif'
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	timeout: "15m"
	- name: Upload Trivy scan results to GitHub Security tab
	if: ${{ steps.trivy-scan-sarif.outcome == 'success' }}
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: 'trivy-results.sarif'

	- name: Run Trivy vulnerability scanner - template
	id: trivy-scan-template
	continue-on-error: true
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: fsharp-api:latest
	format: 'template'
	template: "@$HOME/.local/bin/trivy-bin/contrib/html.tpl"
	output: 'trivy-results.html'
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	timeout: "15m"
	- name: Show Trivy scan summary
	if: ${{ steps.trivy-scan-template.outcome == 'success' }}
	continue-on-error: true
	run: \|
	echo "## Trivy results" >> $GITHUB_STEP_SUMMARY
	echo "---" >> $GITHUB_STEP_SUMMARY
	cat trivy-results.html >> $GITHUB_STEP_SUMMARY

Provide feedback