name: Trivy on: schedule: - cron: 0 6 * * * workflow_dispatch: defaults: run: shell: bash jobs: analysis: name: Vulnerability scanner for nightly containers runs-on: ubuntu-latest if: github.repository == 'keycloak/keycloak' strategy: matrix: container: [keycloak, keycloak-operator] fail-fast: false steps: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 with: image-ref: quay.io/keycloak/${{ matrix.container}}:nightly format: template template: '@/contrib/sarif.tpl' output: trivy-results.sarif severity: MEDIUM,CRITICAL,HIGH ignore-unfixed: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2.1.37 with: sarif_file: trivy-results.sarif