Trivy

Restrict permissions for Codex workflow #61

	# Copyright 2024-2025, Intel Corporation
	# SPDX-License-Identifier: BSD-3-Clause

	# Runs linter for Docker files
	name: Trivy

	permissions: read-all

	on:
	workflow_dispatch:
	push:
	pull_request:
	paths:
	- '**/Dockerfile'
	- '.github/workflows/trivy.yml'
	- '.trivyignore'

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	jobs:
	linux:
	name: Trivy
	runs-on: ubuntu-latest
	permissions:
	security-events: write

	steps:
	- name: Clone the git repo
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

	- name: Run Trivy
	uses: aquasecurity/trivy-action@f9424c10c36e288d5fa79bd3dfd1aeb2d6eae808 # v0.33.0
	with:
	scan-type: 'config'
	hide-progress: false
	format: 'sarif'
	output: 'trivy-results.sarif'
	trivyignores: '.trivyignore'
	# Skip released versions before v1.25.0
	skip-dirs: 'docker/v1.24.0,docker/v1.23.0,docker/v1.22.0,docker/v1.21.0,docker/v1.20.0,docker/v1.19.0,docker/v1.18.0,docker/v1.17.0,docker/v1.16.0,docker/v1.15.0,docker/v1.14.1,docker/v1.14.0,docker/v1.13.0,docker/v1.12.0,docker/v1.11.0,docker/v1.10.0,docker/v1.9.2,docker/v1.9.1'

	- name: Print report
	run: \|
	echo "### Trivy report:"
	cat trivy-results.sarif

	- name: Upload Trivy results to Github Security tab
	uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
	with:
	sarif_file: 'trivy-results.sarif'

	- name: Upload Trivy results
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
	with:
	name: trivy-results.sarif
	path: trivy-results.sarif

Provide feedback