scan.yml

name: Scan

on:
  workflow_dispatch:
  schedule:
    - cron: "0 3 * * *"

permissions: {}

concurrency:
  group: scan-image
  cancel-in-progress: false

jobs:
  trivy:
    name: Scan published image
    runs-on: ubuntu-24.04
    timeout-minutes: 45
    permissions: {}

    steps:
      - name: Normalize image name
        id: image
        env:
          REPOSITORY_OWNER: ${{ github.repository_owner }}
        run: |
          owner="$(printf '%s' "${REPOSITORY_OWNER}" | tr '[:upper:]' '[:lower:]')"
          echo "name=ghcr.io/${owner}/mastodon" >>"${GITHUB_OUTPUT}"

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
        with:
          image-ref: ${{ steps.image.outputs.name }}:latest
          scan-type: image
          format: sarif
          output: trivy-results.sarif
          severity: CRITICAL,HIGH
          vuln-type: os
          scanners: vuln
          cache: false

      # Upload is isolated from the scanner so Trivy never gets security-events write access.
      - name: Persist SARIF report
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        with:
          name: trivy-results
          path: trivy-results.sarif
          if-no-files-found: error
          retention-days: 1

  upload-sarif:
    name: Upload SARIF results
    runs-on: ubuntu-24.04
    timeout-minutes: 15
    needs: trivy
    permissions:
      actions: read
      security-events: write

    steps:
      - name: Download SARIF report
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: trivy-results

      - name: Upload Trivy results to GitHub Security
        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
        with:
          sarif_file: trivy-results.sarif
          category: trivy-os