vaultwarden/.github/workflows/trivy.yml

name: trivy

on:
  push:
    branches:
      - main
    tags:
      - '*'
  pull_request:
    branches: [ "main" ]
  schedule:
    - cron: '08 11 * * *'

permissions:
  contents: read

jobs:
  trivy-scan:
    # Only run this in the master repo and not on forks
    # When all forks run this at the same time, it is causing `Too Many Requests` issues
    if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
    name: Check
    runs-on: ubuntu-24.04
    timeout-minutes: 30
    permissions:
      contents: read
      security-events: write
      actions: read
    steps:
      - name: Checkout code
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # v0.27.0
        with:
          scan-type: repo
          ignore-unfixed: true
          format: sarif
          output: trivy-results.sarif
          severity: CRITICAL,HIGH

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@2bbafcdd7fbf96243689e764c2f15d9735164f33 # v3.26.6
        with:
          sarif_file: 'trivy-results.sarif'
ci: add trivy workflow (#3997) * ci: add trivy workflow to ensure critical and high vulnerabilties are detected quickly * push trivy-action to 0.13.1 2023-11-05 15:00:24 +01:00			`name: trivy`

			`on:`
			`push:`
			`branches:`
			`- main`
			`tags:`
			`- '*'`
			`pull_request:`
			`branches: [ "main" ]`
			`schedule:`
Updates and collection management fixes (#5072) * Fix collections not editable by managers Since a newer version of the web-vault we use manager were not able to create sub collections anymore. This was because of some missing details in the response of some json objects. This commit fixes this by using the `to_json_details` instead of the `to_json` Fixes #5066 Fixes #5044 * Update crates and GitHub Actions - Updated all the crates - Updated all the GHA dependencies - Configured the trivy workflow to only run on the main repo and not on forks Also selected a random new scheduled date so it will not run at the same time as all other forks. The two changes should help running this scan every day without failing, and also prevent the same for new or updated forks. 2024-10-11 18:42:40 +02:00			`- cron: '08 11 * * *'`
ci: add trivy workflow (#3997) * ci: add trivy workflow to ensure critical and high vulnerabilties are detected quickly * push trivy-action to 0.13.1 2023-11-05 15:00:24 +01:00
			`permissions:`
			`contents: read`

			`jobs:`
			`trivy-scan:`
Updates and collection management fixes (#5072) * Fix collections not editable by managers Since a newer version of the web-vault we use manager were not able to create sub collections anymore. This was because of some missing details in the response of some json objects. This commit fixes this by using the `to_json_details` instead of the `to_json` Fixes #5066 Fixes #5044 * Update crates and GitHub Actions - Updated all the crates - Updated all the GHA dependencies - Configured the trivy workflow to only run on the main repo and not on forks Also selected a random new scheduled date so it will not run at the same time as all other forks. The two changes should help running this scan every day without failing, and also prevent the same for new or updated forks. 2024-10-11 18:42:40 +02:00			`# Only run this in the master repo and not on forks`
			# When all forks run this at the same time, it is causing `Too Many Requests` issues
			`if: ${{ github.repository == 'dani-garcia/vaultwarden' }}`
ci: add trivy workflow (#3997) * ci: add trivy workflow to ensure critical and high vulnerabilties are detected quickly * push trivy-action to 0.13.1 2023-11-05 15:00:24 +01:00			`name: Check`
Update GitHub Action Workflows (#4849) 2024-08-13 12:52:07 +02:00			`runs-on: ubuntu-24.04`
ci: add trivy workflow (#3997) * ci: add trivy workflow to ensure critical and high vulnerabilties are detected quickly * push trivy-action to 0.13.1 2023-11-05 15:00:24 +01:00			`timeout-minutes: 30`
			`permissions:`
			`contents: read`
			`security-events: write`
			`actions: read`
			`steps:`
			`- name: Checkout code`
Updates and collection management fixes (#5072) * Fix collections not editable by managers Since a newer version of the web-vault we use manager were not able to create sub collections anymore. This was because of some missing details in the response of some json objects. This commit fixes this by using the `to_json_details` instead of the `to_json` Fixes #5066 Fixes #5044 * Update crates and GitHub Actions - Updated all the crates - Updated all the GHA dependencies - Configured the trivy workflow to only run on the main repo and not on forks Also selected a random new scheduled date so it will not run at the same time as all other forks. The two changes should help running this scan every day without failing, and also prevent the same for new or updated forks. 2024-10-11 18:42:40 +02:00			`uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1`
ci: add trivy workflow (#3997) * ci: add trivy workflow to ensure critical and high vulnerabilties are detected quickly * push trivy-action to 0.13.1 2023-11-05 15:00:24 +01:00
			`- name: Run Trivy vulnerability scanner`
Updates and collection management fixes (#5072) * Fix collections not editable by managers Since a newer version of the web-vault we use manager were not able to create sub collections anymore. This was because of some missing details in the response of some json objects. This commit fixes this by using the `to_json_details` instead of the `to_json` Fixes #5066 Fixes #5044 * Update crates and GitHub Actions - Updated all the crates - Updated all the GHA dependencies - Configured the trivy workflow to only run on the main repo and not on forks Also selected a random new scheduled date so it will not run at the same time as all other forks. The two changes should help running this scan every day without failing, and also prevent the same for new or updated forks. 2024-10-11 18:42:40 +02:00			`uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # v0.27.0`
ci: add trivy workflow (#3997) * ci: add trivy workflow to ensure critical and high vulnerabilties are detected quickly * push trivy-action to 0.13.1 2023-11-05 15:00:24 +01:00			`with:`
			`scan-type: repo`
			`ignore-unfixed: true`
			`format: sarif`
			`output: trivy-results.sarif`
			`severity: CRITICAL,HIGH`

			`- name: Upload Trivy scan results to GitHub Security tab`
Updates and collection management fixes (#5072) * Fix collections not editable by managers Since a newer version of the web-vault we use manager were not able to create sub collections anymore. This was because of some missing details in the response of some json objects. This commit fixes this by using the `to_json_details` instead of the `to_json` Fixes #5066 Fixes #5044 * Update crates and GitHub Actions - Updated all the crates - Updated all the GHA dependencies - Configured the trivy workflow to only run on the main repo and not on forks Also selected a random new scheduled date so it will not run at the same time as all other forks. The two changes should help running this scan every day without failing, and also prevent the same for new or updated forks. 2024-10-11 18:42:40 +02:00			`uses: github/codeql-action/upload-sarif@2bbafcdd7fbf96243689e764c2f15d9735164f33 # v3.26.6`
ci: add trivy workflow (#3997) * ci: add trivy workflow to ensure critical and high vulnerabilties are detected quickly * push trivy-action to 0.13.1 2023-11-05 15:00:24 +01:00			`with:`
			`sarif_file: 'trivy-results.sarif'`