name: Trivy - Scan
on:
    schedule:
        # https://crontab.guru/daily
        - cron: '0 0 * * *'
    pull_request:
jobs:
    scan_repository:
        name: Scan the repository
        runs-on: ubuntu-latest
        steps:
            - name: Checkout code
              uses: actions/checkout@v4

            - name: Run Trivy vulnerability scanner in repo mode
              uses: aquasecurity/trivy-action@0.28.0
              with:
                  scan-type: 'fs'
                  ignore-unfixed: true
                  format: 'sarif'
                  output: 'trivy-results.sarif'
                  severity: 'CRITICAL'

            - name: Upload Trivy scan results to GitHub Security tab
              uses: github/codeql-action/upload-sarif@v3
              with:
                  sarif_file: 'trivy-results.sarif'

    scan_vulnerabilities:
        name: Scan the docker image
        runs-on: ubuntu-latest
        steps:
            - name: Checkout code
              uses: actions/checkout@v4

            - name: Build an image from Dockerfile
              run: |
                  docker build -t docker.io/hemmeligorg/hemmelig:${{ github.sha }} .

            - name: Run Trivy vulnerability scanner
              uses: aquasecurity/trivy-action@0.28.0
              with:
                  image-ref: 'docker.io/hemmeligorg/hemmelig:${{ github.sha }}'
                  format: 'sarif'
                  output: 'trivy-results.sarif'

            - name: Upload Trivy scan results to GitHub Security tab
              uses: github/codeql-action/upload-sarif@v3
              if: always()
              with:
                  sarif_file: 'trivy-results.sarif'