Trivy Security Scan #36

	name: Trivy Security Scan

	on:
	pull_request:
	branches:
	- master
	push:
	branches:
	- master
	schedule:
	- cron: "0 1 * * *" # Run daily at 1:00 AM UTC

	jobs:
	trivy-scan:
	name: Trivy Vulnerability Scan
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	actions: read

	steps:
	- name: Checkout code
	uses: actions/checkout@v6

	- name: Run Trivy vulnerability scanner in fs mode
	uses: aquasecurity/trivy-action@v0.36.0
	with:
	scan-type: "fs"
	scan-ref: "."
	format: "sarif"
	output: "trivy-results.sarif"
	severity: "CRITICAL,HIGH,MEDIUM"
	exit-code: "0" # Don't fail on vulnerabilities, only record them

	- name: Upload Trivy results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v4
	if: always()
	with:
	sarif_file: "trivy-results.sarif"

	- name: Run Trivy vulnerability scanner in table format
	uses: aquasecurity/trivy-action@v0.36.0
	with:
	scan-type: "fs"
	scan-ref: "."
	format: "table"
	severity: "CRITICAL,HIGH"
	exit-code: "1" # Fail only if CRITICAL/HIGH vulnerabilities found

Provide feedback