keycloak/.github/workflows/trivy-analysis.yml

name: Trivy

on:
  workflow_dispatch:

defaults:
  run:
    shell: bash

permissions:
  contents: read
  
jobs:

  analysis:
    name: Vulnerability scanner for nightly containers
    runs-on: ubuntu-latest
    if: github.repository == 'keycloak/keycloak'
    strategy:
      matrix:
        container: [keycloak, keycloak-operator]
      fail-fast: false
    permissions:
      security-events: write # Required for SARIF uploads
    steps:
      - name: Checkout code
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        with:
          image-ref: quay.io/keycloak/${{ matrix.container }}:nightly
          format: sarif
          output: trivy-results.sarif
          severity: MEDIUM,CRITICAL,HIGH
          ignore-unfixed: true
          version: v0.57.1
          timeout: 15m
        env:
          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@014f16e7ab1402f30e7c3329d33797e7948572db # v4.31.3
        with:
          sarif_file: trivy-results.sarif
          category: ${{ matrix.container }}