diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0112221..f3b425b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -74,3 +74,18 @@ jobs: env: COSIGN_EXPERIMENTAL: "true" TAGS: ${{ steps.meta.outputs.tags }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'ghcr.io/tommytran732/synapse' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + vuln-type: "os" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif'