EverShelf/.github/workflows/security.yml

name: Security Scan (Trivy)

env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

on:
  push:
    branches: [main, develop]
    paths:
      - 'Dockerfile'
      - 'docker-compose.yml'
      - 'api/**'
      - '.github/workflows/security.yml'
  schedule:
    # Run weekly on Monday at 07:00 UTC
    - cron: '0 7 * * 1'
  workflow_dispatch:

jobs:
  trivy-docker:
    name: Trivy — Docker image scan
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Build Docker image
        run: docker build -t evershelf:scan .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@v0.36.0
        with:
          image-ref: 'evershelf:scan'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          ignore-unfixed: true
          exit-code: '0'   # don't fail the build, just report

      - name: Upload Trivy SARIF to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
          category: 'trivy-docker'

  trivy-fs:
    name: Trivy — Filesystem scan
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Run Trivy filesystem scanner
        uses: aquasecurity/trivy-action@v0.36.0
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-fs-results.sarif'
          severity: 'CRITICAL,HIGH'
          ignore-unfixed: true
          exit-code: '0'

      - name: Upload Trivy FS SARIF
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-fs-results.sarif'
          category: 'trivy-fs'