Skip to content
Security Scan

Merge branch 'canonical:main' into main #1

Sign in to view logs

Merge branch 'canonical:main' into main

Merge branch 'canonical:main' into main #1

Workflow file for this run

.github/workflows/security_scan.yaml at 7753ffb
# Copyright 2026 Canonical Ltd.
# See LICENSE file for licensing details.
name: Security Scan
on:
push:
branches: [main]
pull_request:
workflow_dispatch:
jobs:
trivy-scan:
name: Run Trivy Security Scan
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v6.0.2
- name: Ensure .trivyignore exists
run: |
if [ ! -f .trivyignore ]; then
echo "Creating empty .trivyignore"
touch .trivyignore
else
echo ".trivyignore already exists"
fi
- name: Run Trivy scan for logs
uses: aquasecurity/trivy-action@0.34.0
with:
scan-type: "fs"
scan-ref: "."
trivy-config: "trivy.yaml"
trivyignores: ".trivyignore"
- name: Run Trivy scan for SARIF report
uses: aquasecurity/trivy-action@0.34.0
with:
scan-type: "fs"
scan-ref: "."
trivy-config: "trivy.yaml"
trivyignores: ".trivyignore"
format: "sarif"
output: "trivy-results.sarif"
- name: Upload SARIF to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4.32.3
with:
sarif_file: "trivy-results.sarif"
- name: Upload diagnostic SARIF artifact
uses: actions/upload-artifact@v6.0.0
with:
name: sarif-report
path: "trivy-results.sarif"
retention-days: 7
generate-sbom:
name: Generate SBOM from Filesystem
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6.0.2
- name: Ensure .trivyignore exists
run: |
if [ ! -f .trivyignore ]; then
echo "Creating empty .trivyignore"
touch .trivyignore
else
echo ".trivyignore already exists"
fi
- name: Run Trivy to generate SBOM
uses: aquasecurity/trivy-action@0.34.0
with:
scan-type: "fs"
scan-ref: "."
trivy-config: "trivy.yaml"
trivyignores: ".trivyignore"
format: "spdx-json"
output: "dependency-results.sbom.json"
github-pat: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SBOM as an artifact
uses: actions/upload-artifact@v6.0.0
with:
name: sbom
path: "dependency-results.sbom.json"
retention-days: 7