grafana/.github/workflows/trivy-scan.yml

name: Trivy Scan
on:
  pull_request:
    # only run on PRs where go.mod/go.sum/etc have been updated
    paths:
      - go.*
      - .github/workflows/trivy-scan.yml
  push:
    branches:
      - main
    paths:
      - go.*
      - .github/workflows/trivy-scan.yml

jobs:
  trivy-scan:
    runs-on: ubuntu-22.04
    steps:
    - uses: actions/checkout@v5
      with:
        persist-credentials: false
    - name: Install Trivy
      uses: aquasecurity/setup-trivy@9ea583eb67910444b1f64abf338bd2e105a0a93d
      with:
        version: v0.56.2
        cache: true
    - name: Download Trivy DB
      run: |
        trivy fs --no-progress --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db        
    - name: Run Trivy vulnerability scanner (table output)
      # Use the trivy binary rather than the aquasecurity/trivy-action action
      # to avoid a few bugs.
      #
      # We scan the file system rather than building the Docker image to only scan
      # our direct dependencies. The Docker images are still scanned by
      # Vulnerability Observability:
      #   - OSS: https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/projects/sources/1
      #   - Enterprise: https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/projects/sources/12
      #   (If these links are outdated, just go to the list and find the images manually.)
      run: |
        trivy fs \
          --scanners vuln \
          --format table \
          --exit-code 1 \
          --ignore-unfixed \
          --pkg-types os,library \
          --severity CRITICAL,HIGH \
          --ignorefile .trivyignore \
          --skip-files yarn.lock,package.json \
          --skip-db-update \
          .        
    - name: Run Trivy vulnerability scanner (SARIF)
      # Use the trivy binary rather than the aquasecurity/trivy-action action
      # to avoid a few bugs
      run: |
        trivy fs \
          --scanners vuln \
          --format sarif \
          --output trivy-results.sarif \
          --ignore-unfixed \
          --pkg-types os,library \
          --ignorefile .trivyignore \
          --skip-db-update \
          .        
      if: always() && github.repository == 'grafana/grafana'
    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: 'trivy-results.sarif'
      if: always() && github.repository == 'grafana/grafana'