ci: rename-trivy

yxtay · yxtay · commit 25f5fb48f24f · 2025-06-01T16:04:02.000+08:00
diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml
@@ -302,7 +302,7 @@ jobs:
         with:
           sarif_file: ${{ steps.grype.outputs.sarif }}
 
-  trivy:
+  trivy-fs:
     permissions:
       contents: write
       security-events: write
@@ -314,16 +314,11 @@ jobs:
       - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30
         with:
           scan-type: fs
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL
           format: github
           output: dependency-results.sbom.json
           github-pat: ${{ github.token }}
-          ignore-unfixed: true
-          severity: HIGH,CRITICAL
-
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
-        with:
-          name: trivy-sbom-report
-          path: dependency-results.sbom.json
 
       - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30
         with:
@@ -332,12 +327,13 @@ jobs:
           severity: HIGH,CRITICAL
           format: sarif
           output: trivy-results.sarif
+          scanners: vuln,secret,misconfig
 
       - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3
         with:
           sarif_file: trivy-results.sarif
 
-  trivy-container:
+  trivy-image:
     permissions:
       contents: write
       security-events: write
@@ -346,8 +342,6 @@ jobs:
     env:
       GHCR_IMAGE_NAME: ghcr.io/${{ github.repository }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-
       - id: build
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
@@ -356,13 +350,20 @@ jobs:
 
       - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30
         with:
-          image-ref: ${{ env.IMAGE_ID}}
+          image-ref: ${{ steps.build.outputs.imageid }}
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL
+          format: github
+          output: dependency-results.sbom.json
+          github-pat: ${{ github.token }}
+
+      - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30
+        with:
+          image-ref: ${{ steps.build.outputs.imageid }}
           ignore-unfixed: true
           severity: HIGH,CRITICAL
           format: sarif
           output: trivy-results.sarif
-        env:
-          IMAGE_ID: ${{ steps.build.outputs.imageid }}
 
       - uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3
         with:
