name: trivy-scan-image # run-name: Trivy - Scan Docker Image ${{ env.image_tag }} on: workflow_dispatch: # Manuelles Auslösen des Workflows inputs: image_tag: description: 'Tag für das zu scannende Docker-Image z.B. latest' required: true default: 'latest' schedule: - cron: '30 1 * * 5' env: image_name_gitea: flask-qr image_tag: ${{ github.event.inputs.image_tag || 'latest' }} registry_gitea: gitea.tebarius.duckdns.org user: tebarius jobs: trivy_image_scan: name: Trivy - Scan Docker Image ${{ env.image_tag }} runs-on: ubuntu-latest container: aquasec/trivy:latest steps: - name: Scan linux/amd64-image with trivy run: | trivy image \ --username ${{ env.user }} \ --password ${{ secrets.DOCKER_PULL_TOKEN }} \ --exit-code 1 \ --scanners vuln,misconfig,secret \ --severity HIGH,CRITICAL \ --ignore-unfixed \ --platform linux/amd64 \ ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ env.image_tag }} - name: Scan linux/386-image with trivy run: | trivy image \ --username ${{ env.user }} \ --password ${{ secrets.DOCKER_PULL_TOKEN }} \ --exit-code 1 \ --scanners vuln,misconfig,secret \ --severity HIGH,CRITICAL \ --ignore-unfixed \ --platform linux/386 \ ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ env.image_tag }} - name: Scan linux/arm64 with trivy run: | trivy image \ --username ${{ env.user }} \ --password ${{ secrets.DOCKER_PULL_TOKEN }} \ --exit-code 1 \ --scanners vuln,misconfig,secret \ --severity HIGH,CRITICAL \ --ignore-unfixed \ --platform linux/arm64 \ ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ env.image_tag }} - name: Scan linux/arm/v7-image with trivy run: | trivy image \ --username ${{ env.user }} \ --password ${{ secrets.DOCKER_PULL_TOKEN }} \ --exit-code 1 \ --scanners vuln,misconfig,secret \ --severity HIGH,CRITICAL \ --ignore-unfixed \ --platform linux/arm/v7 \ ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ env.image_tag }}