From 1b9660ec89093943eeced0f746c3202f3189ad71 Mon Sep 17 00:00:00 2001
From: Marco Argentieri <3596602+tiero@users.noreply.github.com>
Date: Fri, 23 Aug 2024 16:08:40 +0200
Subject: [PATCH] gha: add trivy security scan (#277)

---
 .github/workflows/ark.trivy.yaml | 35 ++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 .github/workflows/ark.trivy.yaml

diff --git a/.github/workflows/ark.trivy.yaml b/.github/workflows/ark.trivy.yaml
new file mode 100644
index 000000000..737ff3705
--- /dev/null
+++ b/.github/workflows/ark.trivy.yaml
@@ -0,0 +1,35 @@
+name: Trivy Security Scan
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    branches: ["master"]
+
+jobs:
+  build:
+    name: Build and Scan
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build an image from Dockerfile
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          load: true
+          tags: ${{ github.repository }}:${{ github.sha }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: "${{ github.repository }}:${{ github.sha }}"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"