steadybit
diff --git a/‎.github/workflows/reusable-cve-scan-main.yml‎
Lines changed: 0 additions & 34 deletions b/‎.github/workflows/reusable-cve-scan-main.yml‎
Lines changed: 0 additions & 34 deletions
diff --git a/‎.github/workflows/reusable-cve-scan.yml‎
Lines changed: 68 additions & 0 deletions b/‎.github/workflows/reusable-cve-scan.yml‎
Lines changed: 68 additions & 0 deletions
@@ -0,0 +1,68 @@
+name: CVE Scan Main
+
+on:
+  workflow_call:
+    inputs:
+      image_tag:
+        description: 'Image tag to scan'
+        required: true
+        type: string
+      severities:
+        description: 'Severities to include in the scan'
+        required: false
+        default: 'CRITICAL,HIGH'
+        type: string
+      add_to_github_security:
+        description: 'Whether to add the scan results to the GitHub Security tab'
+        required: false
+        default: false
+        type: boolean
+      trivy_version:
+        description: 'Trivy version to use'
+        required: false
+        default: 'v0.67.2'
+        type: string
+
+jobs:
+  cve_scan:
+    permissions:
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Trivy
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'ghcr.io/${{ github.repository }}:${{ inputs.image_tag }}'
+          format: 'table'
+          ignore-unfixed: true
+          severity: ${{ inputs.severities }}
+          output: 'trivy-results.table'
+          version: ${{ inputs.trivy_version }}
+          exit-code: 1
+
+      - name: Append Trivy results to Step Summary
+        if: always()
+        run: |
+           while IFS= read -r line; do
+               if [[ $line == "┌"* ]]; then echo '```' >> $GITHUB_STEP_SUMMARY; fi
+               echo "$line" >> $GITHUB_STEP_SUMMARY
+               if [[ $line == *"┘" ]]; then echo '```' >> $GITHUB_STEP_SUMMARY; fi
+           done < "trivy-results.table"
+
+      - name: Run Trivy again for Github Security
+        uses: aquasecurity/[email protected]
+        if: ${{ always() && inputs.add_to_github_security }}
+        with:
+          image-ref: 'ghcr.io/${{ github.repository }}:${{ inputs.image_tag }}'
+          format: 'sarif'
+          ignore-unfixed: true
+          severity: ${{ inputs.severities }}
+          output: 'trivy-results.sarif'
+          version: '${{ inputs.trivy_version }}
+          skip-setup-trivy: 'true'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: ${{ always() && inputs.add_to_github_security }}
+        with:
+          sarif_file: 'trivy-results.sarif'