security-scan.yml

name: Security scan

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]
  schedule:
    - cron: "37 15 * * 3"

permissions:
  contents: read

jobs:
  security:
    permissions:
      contents: read
      security-events: write
      actions: read
    name: Security scan Postgre Container
    runs-on: "ubuntu-latest"
    strategy:
      matrix:
        version: [14, 15, 16, 17]
        os: ["bookworm", "bullseye"]
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - uses: extractions/setup-just@v2

      - name: Build Docker image
        run: |
          just build ${{ matrix.version }} ${{ matrix.os }}

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "ghcr.io/bitbytelabio/postgres:${{ matrix.version }}"
          format: "template"
          template: "@/contrib/sarif.tpl"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH,MEDIUM,LOW"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "trivy-results.sarif"