From 08ab2090bedd1301d722ece24ca3fd2c2eb65704 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio <ozz@stacklok.com>
Date: Thu, 16 Jan 2025 12:06:24 +0200
Subject: [PATCH] Add dependency scanning to CI pipeline

This enables dependency scanning via trivy.

Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>
---
 .github/workflows/security.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 .github/workflows/security.yml

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 00000000..94b324c4
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,30 @@
+name: Security
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  dependencies:
+    runs-on: ubuntu-latest
+    name: Dependencies & Secrets Scan
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Code Security Scan
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        with:
+          scan-type: 'fs'
+          scanners: vuln,secret
+          trivy-config: .trivy.yml
+          exit-code: 1
+          ignore-unfixed: true
+        env:
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_USERNAME: ${{ github.actor }}
+          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}