chore(deps): Update github/codeql-action action to v4.36.2

ci(security): add Trivy filesystem scan to code scanning (#1644 )
2026-06-08 15:08:40 +01:00 · 2026-06-08 12:10:16 +00:00 · 2026-06-08 14:05:23 +02:00
2 changed files with 63 additions and 3 deletions
--- a/.github/workflows/ci-codeql.yml
+++ b/.github/workflows/ci-codeql.yml
@@ -27,13 +27,13 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: 🏁 Initialize CodeQL
-        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
        with:
          languages: ${{ matrix.language }}
          queries: +security-extended,security-and-quality
      - name: 🛠️ Autobuild
-        uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
      - name: 🧪 Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -0,0 +1,60 @@
 name: 🛡️ Trivy Security Scan
 # Filesystem scan (Streamyfin ships no container image): finds vulnerable dependencies,
 # leaked secrets and misconfigurations, and reports them to GitHub code scanning.
 # Runs post-merge + weekly (not on PRs — dependency-review already gates PRs, and SARIF
 # upload needs a write token that fork PRs don't get).
 on:
  push:
    branches: [develop, master]
  schedule:
    - cron: "50 7 * * 5" # Weekly, Friday 07:50 UTC
  workflow_dispatch:
 permissions:
  contents: read
 concurrency:
  group: trivy-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  trivy:
    name: 🔎 Filesystem scan
    runs-on: ubuntu-24.04
    permissions:
      contents: read
      security-events: write # upload SARIF to code scanning
    steps:
      - name: 📥 Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      # Rotate the DB cache weekly (matches the scheduled scan): cache hits within the week
      # instead of a fresh immutable entry per run, still refreshing the DB every week.
      - name: 🗓️ Compute weekly Trivy cache key
        id: trivy-cache-key
        run: echo "value=trivy-db-${{ runner.os }}-$(date -u +%G-%V)" >> "$GITHUB_OUTPUT"
      - name: 💾 Cache Trivy vulnerability DB
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/.cache/trivy
          key: ${{ steps.trivy-cache-key.outputs.value }}
          restore-keys: trivy-db-${{ runner.os }}-
      - name: 🔎 Run Trivy filesystem scan
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
        with:
          scan-type: fs
          scan-ref: .
          scanners: vuln,secret,misconfig
          ignore-unfixed: true
          severity: CRITICAL,HIGH
          format: sarif
          output: trivy-results.sarif
      - name: 📤 Upload results to code scanning
        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
        with:
          sarif_file: trivy-results.sarif
          category: trivy-fs
Author	SHA1	Message	Date
renovate[bot]	b22b1e00b9	chore(deps): Update github/codeql-action action to v4.36.2	2026-06-08 12:10:16 +00:00
Gauvain	36ed7539a2	ci(security): add Trivy filesystem scan to code scanning (#1644 )	2026-06-08 14:05:23 +02:00