name: Trivy on: workflow_dispatch: defaults: run: shell: bash jobs: analysis: name: Vulnerability scanner for nightly containers runs-on: ubuntu-latest if: github.repository == 'keycloak/keycloak' strategy: matrix: container: [keycloak, keycloak-operator] fail-fast: false steps: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f with: image-ref: quay.io/keycloak/${{ matrix.container}}:nightly format: template template: '@/contrib/sarif.tpl' output: trivy-results.sarif severity: MEDIUM,CRITICAL,HIGH ignore-unfixed: true security-checks: vuln timeout: 15m - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: sarif_file: trivy-results.sarif