Skip to content

add Trivy IaC security scanning workflow #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
EmmanuelNwa247 merged 5 commits into from
May 5, 2026
Merged

add Trivy IaC security scanning workflow #285

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
dc07d25
add Trivy IaC security scanning workflow
nuel247 May 1, 2026
25d4cd6
Merge branch 'main' into Nuel/DEV-328-add-trivy-iac-scanning
nuel247 May 4, 2026
5918087
add Trivy IaC security scanning workflow
nuel247 May 4, 2026
3435da3
add Trivy IaC security scanning workflow
nuel247 May 5, 2026
0f8ff05
add Trivy IaC security scanning workflow
nuel247 May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 97 additions & 0 deletions .github/workflows/trivy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
name: Trivy Security Scan
on:
pull_request:
paths:
- 'terraform/**'
- '.github/workflows/trivy.yaml'
push:
branches:
- main
paths:
- 'terraform/**'
- '.github/workflows/trivy.yaml'

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
trivy-aws:
name: Trivy IaC Scan (AWS)

Check notice

Code scanning / SonarCloud

Write permissions should be defined at the job level Low

Move this write permission from workflow level to job level. See more on SonarQube Cloud
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Run Trivy scanner (table output)
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
scan-type: 'fs'
scan-ref: 'terraform/aws/modules/'
scanners: 'vuln,secret,misconfig'
ignore-unfixed: false
exit-code: '0'
format: 'table'
severity: 'CRITICAL,HIGH'

- name: Run Trivy scanner (SARIF output)
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
scan-type: 'fs'
scan-ref: 'terraform/aws/modules/'
scanners: 'vuln,secret,misconfig'
ignore-unfixed: false
exit-code: '0'
format: 'sarif'
output: 'trivy-aws-results.sarif'
severity: 'CRITICAL,HIGH'

- name: Upload AWS scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-aws-results.sarif'
category: 'trivy-iac-aws'

trivy-azure:
name: Trivy IaC Scan (Azure)
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Run Trivy scanner (table output)
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
scan-type: 'fs'
scan-ref: 'terraform/azure/modules/'
scanners: 'vuln,secret,misconfig'
ignore-unfixed: false
exit-code: '0'
format: 'table'
severity: 'CRITICAL,HIGH'

- name: Run Trivy scanner (SARIF output)
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
scan-type: 'fs'
scan-ref: 'terraform/azure/modules/'
scanners: 'vuln,secret,misconfig'
ignore-unfixed: false
exit-code: '0'
format: 'sarif'
output: 'trivy-azure-results.sarif'
severity: 'CRITICAL,HIGH'

- name: Upload Azure scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-azure-results.sarif'
category: 'trivy-iac-azure'
Loading