trivy.yml

name: Security Check

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]
    paths:
      - go.mod

jobs:
  build:
    name: Trivy
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          # Resolves to empty string for push events and falls back to HEAD.
          ref: ${{ github.event.pull_request.head.sha }}

      - name: Run Trivy
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          
      - name: Upload Results To GitHub Security Tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'