name: Trivy

on:
  schedule:
    - cron: 0 6 * * *
  workflow_dispatch:

defaults:
  run:
    shell: bash

jobs:

  analysis:
    name: Vulnerability scanner for nightly containers
    runs-on: ubuntu-latest
    if: github.repository == 'keycloak/keycloak'
    strategy:
      matrix:
        container: [keycloak, keycloak-operator]
      fail-fast: false
    steps:
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54
        with:
          image-ref: quay.io/keycloak/${{ matrix.container}}:nightly
          format: template
          template: '@/contrib/sarif.tpl'
          output: trivy-results.sarif
          severity: MEDIUM,CRITICAL,HIGH
          ignore-unfixed: true
          security-checks: vuln
          timeout: 15m

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2.20.1
        with:
          sarif_file: trivy-results.sarif