Keycloak
1name: Trivy
2
3on:
4workflow_dispatch:
5
6defaults:
7run:
8shell: bash
9
10jobs:
11
12analysis:
13name: Vulnerability scanner for nightly containers
14runs-on: ubuntu-latest
15if: github.repository == 'keycloak/keycloak'
16strategy:
17matrix:
18container: [keycloak, keycloak-operator]
19fail-fast: false
20steps:
21- name: Run Trivy vulnerability scanner
22uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d
23with:
24image-ref: quay.io/keycloak/${{ matrix.container}}:nightly
25format: template
26template: '@/contrib/sarif.tpl'
27output: trivy-results.sarif
28severity: MEDIUM,CRITICAL,HIGH
29ignore-unfixed: true
30security-checks: vuln
31timeout: 15m
32
33- name: Upload Trivy scan results to GitHub Security tab
34uses: github/codeql-action/upload-sarif@v3
35with:
36sarif_file: trivy-results.sarif
37