scanner.yml

name: Scanner

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
  schedule:
    - cron: "0 0 * * *" # 9:00 JST every day

jobs:
  scan:
    name: Vulnerability scanner
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/cache@v3
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      - uses: actions/setup-go@v3
        with:
          go-version: "~1.16"
      - name: Build
        run: make build/server
      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: fs
          scan-ref: ./build
          severity: CRITICAL,HIGH
          ignore-unfixed: true
          format: template
          template: "@/contrib/sarif.tpl"
          output: trivy-results.sarif
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: trivy-results.sarif