name: Trivy Nightly Docker Scan

on:
  # Run scans if the workflow is modified, in order to test the
  # workflow itself. This results in some spurious notifications,
  # but seems okay for testing.
  pull_request:
    branches:
      - main
    paths:
      - .github/workflows/trivy-docker.yaml

  # Run scans against master whenever changes are merged.
  push:
    branches:
      - main
    paths:
      - .github/workflows/trivy-docker.yaml

  schedule:
    # Run at 10:15 am UTC (3:15am PT/5:15am CT)
    # Run at 0 minutes 0 hours of every day.
    - cron: "15 10 * * *"

  workflow_dispatch:

permissions:
  actions: none
  checks: none
  contents: read
  deployments: none
  issues: none
  packages: none
  pull-requests: none
  repository-projects: none
  security-events: write
  statuses: none

# Cancel in-progress runs for pull requests when developers push
# additional changes, and serialize builds in branches.
# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}

jobs:
  trivy-scan-image:
    runs-on: ubuntu-20.04

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in image mode
        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca
        with:
          image-ref: "docker.io/codercom/code-server:latest"
          ignore-unfixed: true
          format: "sarif"
          output: "trivy-image-results.sarif"
          severity: "HIGH,CRITICAL"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "trivy-image-results.sarif"