trivy

trivy #1137

	name: trivy
	on:
	schedule:
	- cron: "40 11 * * 0"
	workflow_dispatch:
	workflow_run:
	workflows:
	- Release Retina Container Images
	types:
	- completed
	permissions:
	contents: read
	jobs:
	scan:
	if: ${{ github.event_name != 'workflow_run' \|\| github.event.workflow_run.conclusion == 'success' }}
	permissions:
	contents: read
	security-events: write
	name: Trivy Scan
	strategy:
	fail-fast: false
	matrix:
	image: ["retina-agent", "retina-init", "retina-operator", "kubectl-retina", "retina-shell"]
	runs-on: ubuntu-latest # trivy only supports running on Linux
	timeout-minutes: 30
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- name: Get Tag
	env:
	GH_TOKEN: ${{ github.token }}
	run: \|
	if [ "${{ github.event_name }}" = "schedule" ] \|\| [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
	TAG=$(gh release view --repo ${{ github.repository }} --json tagName -q .tagName 2>/dev/null \|\| make version)
	else
	TAG=$(make version)
	fi
	echo "TAG=$TAG" >> $GITHUB_ENV

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # 0.34.1
	with:
	image-ref: "ghcr.io/${{ github.repository }}/${{ matrix.image }}:${{ env.TAG }}"
	format: "template"
	template: "@/contrib/sarif.tpl"
	output: "trivy-results.sarif"
	severity: "CRITICAL,HIGH"

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
	with:
	sarif_file: "trivy-results.sarif"

Provide feedback