trivy_scanning.yml

name: Container Scanning with Trivy
on:
  workflow_run:
    workflows: ["Create and publish a Docker image"]
    types:
      - completed

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build:
    name: Container Scanning with Trivy
    runs-on: ubuntu-20.04
    steps:
      ## Start: Version 0
      - name: Checkout code
        uses: actions/checkout@v3
          
      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
      ## End: Version 0




      ## Start: Version 1
      # - name: Trivy
      #   uses: aquasecurity/trivy-action@master
      #   with:
      #     image-ref: ${{ steps.meta.outputs.tags }}
      #     format: 'table'
      #     exit-code: '1'
      #   env:
      #     TRIVY_USERNAME: ${{ github.actor }}
      #     TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
      ## End: Version 1





      ## Start: Version 2
      - name: Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ steps.meta.outputs.tags }}
          format: 'sarif'
          output: 'trivy-results.sarif'
        env:
          TRIVY_USERNAME: ${{ github.actor }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
      
      - name: Upload artifact
        uses: actions/upload-artifact@main
        with:
          name: 'trivy-results.sarif'
          path: 'trivy-results.sarif'
      
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
      ## End: Version 2