From 7ce07265b9c13e00e54a06f7a852924a1684dc93 Mon Sep 17 00:00:00 2001 From: appleboy Date: Thu, 31 Jul 2025 21:23:55 +0800 Subject: [PATCH] ci: integrate Trivy code scanning in PR workflows - Add a code scanning job using Trivy to check for CRITICAL and HIGH severity vulnerabilities during PR workflows Signed-off-by: appleboy --- .gitea/workflows/test-pr.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/test-pr.yml b/.gitea/workflows/test-pr.yml index 149102b..3cfb875 100644 --- a/.gitea/workflows/test-pr.yml +++ b/.gitea/workflows/test-pr.yml @@ -23,4 +23,19 @@ jobs: uses: golang/govulncheck-action@v1 with: go-version-file: 'go.mod' - go-package: ./... \ No newline at end of file + go-package: ./... + + code-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + exit-code: '1' + severity: 'CRITICAL,HIGH'