# This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. name: build on: push: branches: [ $default-branch, $protected-branches ] pull_request: # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly jobs: build: name: Build runs-on: "ubuntu-18.04" steps: - name: Checkout code uses: actions/checkout@v2 - name: Build an image from Dockerfile run: | docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 with: sarif_file: 'trivy-results.sarif'