mirror of
https://github.com/streamyfin/streamyfin.git
synced 2026-07-07 04:53:01 +01:00
51 lines
1.7 KiB
YAML
51 lines
1.7 KiB
YAML
name: 🛡️ Trivy Security Scan
|
|
|
|
# Filesystem scan (Streamyfin ships no container image): finds vulnerable dependencies,
|
|
# leaked secrets and misconfigurations, and reports them to GitHub code scanning.
|
|
# Runs post-merge + weekly (not on PRs — dependency-review already gates PRs, and SARIF
|
|
# upload needs a write token that fork PRs don't get).
|
|
on:
|
|
push:
|
|
branches: [develop, master]
|
|
schedule:
|
|
- cron: "50 7 * * 5" # Weekly, Friday 07:50 UTC
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: trivy-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
trivy:
|
|
name: 🔎 Filesystem scan
|
|
runs-on: ubuntu-26.04
|
|
permissions:
|
|
contents: read
|
|
security-events: write # upload SARIF to code scanning
|
|
steps:
|
|
- name: 📥 Checkout repository
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
|
|
# Trivy's own action caches the vulnerability DB + binary internally
|
|
# (cache-trivy-* / trivy-binary-* entries), so no manual ~/.cache/trivy
|
|
# step is needed — it only duplicated the cache.
|
|
- name: 🔎 Run Trivy filesystem scan
|
|
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
|
|
with:
|
|
scan-type: fs
|
|
scan-ref: .
|
|
scanners: vuln,secret,misconfig
|
|
ignore-unfixed: true
|
|
severity: CRITICAL,HIGH
|
|
format: sarif
|
|
output: trivy-results.sarif
|
|
|
|
- name: 📤 Upload results to code scanning
|
|
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
|
|
with:
|
|
sarif_file: trivy-results.sarif
|
|
category: trivy-fs
|