Image Security Scan (main) #12

	name: Image Security Scan
	run-name: Image Security Scan (${{ github.event_name == 'schedule' && 'latest' \|\| github.ref_name }})

	on:
	schedule:
	# Monthly on the 1st at 00:00 UTC
	- cron: '0 0 1 * *'
	workflow_dispatch:

	jobs:
	scan:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write

	steps:
	- name: Checkout
	if: github.event_name == 'workflow_dispatch'
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false

	- name: Set up Docker Buildx
	if: github.event_name == 'workflow_dispatch'
	uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

	- name: Build image
	if: github.event_name == 'workflow_dispatch'
	uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
	env:
	DOCKER_BUILD_CHECKS_ANNOTATIONS: false
	DOCKER_BUILD_SUMMARY: false
	DOCKER_BUILD_RECORD_UPLOAD: false
	with:
	context: docker
	load: true
	tags: buildcage:scan

	- name: Scan image with Trivy
	id: trivy-scan
	uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
	with:
	image-ref: ${{ github.event_name == 'schedule' && format('ghcr.io/{0}:latest', github.repository) \|\| 'buildcage:scan' }}
	ignore-unfixed: true
	trivyignores: .trivyignore
	scanners: vuln
	format: sarif
	output: trivy-results.sarif
	severity: CRITICAL,HIGH

	- name: Upload Trivy scan results to GitHub Security
	uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
	with:
	sarif_file: trivy-results.sarif

Provide feedback