Vulnerability Scan & Triage #2

	name: Vulnerability Scan & Triage

	on:
	# schedule:
	# # Run nightly at 2am UTC
	# - cron: '0 2 * * *'
	workflow_dispatch:
	inputs:
	image_tag:
	description: 'Image tag to scan (default: latest)'
	required: false
	default: 'latest'
	dry_run:
	description: 'Dry run (analyze but do not create Linear issues)'
	required: false
	type: boolean
	default: false

	env:
	IMAGE: ghcr.io/sourcebot-dev/sourcebot

	permissions:
	contents: read
	packages: read

	jobs:
	scan:
	name: Trivy Scan
	runs-on: ubuntu-latest
	outputs:
	has_vulnerabilities: ${{ steps.check.outputs.has_vulnerabilities }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Log in to GHCR
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Run Trivy vulnerability scan
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: "${{ env.IMAGE }}:${{ inputs.image_tag \|\| 'latest' }}"
	format: "table"
	output: "trivy-results.txt"
	trivy-config: trivy.yaml

	- name: Check for vulnerabilities
	id: check
	run: \|
	if [ -s trivy-results.txt ] && grep -qE "Total: [1-9]" trivy-results.txt; then
	echo "has_vulnerabilities=true" >> "$GITHUB_OUTPUT"
	else
	echo "has_vulnerabilities=false" >> "$GITHUB_OUTPUT"
	fi

	- name: Upload scan results
	if: steps.check.outputs.has_vulnerabilities == 'true'
	uses: actions/upload-artifact@v4
	with:
	name: trivy-results
	path: trivy-results.txt
	retention-days: 30

Provide feedback