ionscale/.github/workflows/security-analysis.yml

name: "Security Analysis"

on:
  workflow_dispatch:
  schedule:
    - cron: '0 0 * * 0'

jobs:
  codeql:
    name: CodeQL
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: go
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3

  trivy:
    name: Trivy
    runs-on: ubuntu-latest
    permissions:
      actions: read
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.19.0
        with:
          image-ref: ghcr.io/jsiebens/ionscale:latest
          format: 'sarif'
          output: 'trivy-results.sarif'
      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'