Analysis #135

	# https://docs.github.com/actions

	name: Analysis

	on:
	schedule:
	- cron: '43 2 * * 6'
	workflow_call:
	inputs:
	artifact:
	required: false
	default: true
	type: string
	description: True if analysis must be run against a built artifact
	workflow_dispatch:

	jobs:
	trivy:
	name: Trivy
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write
	strategy:
	matrix:
	variant: [fpm-alpine, fpm, apache]
	steps:
	- name: Retrieve image artifact
	uses: actions/download-artifact@v4
	if: inputs.artifact
	with:
	name: ${{ matrix.variant }}-image

	- name: Run Trivy scanner
	uses: aquasecurity/[email protected]
	if: inputs.artifact
	with:
	input: container-image.tar
	format: template
	template: '@/contrib/sarif.tpl'
	output: results.sarif

	- name: Run Trivy scanner
	uses: aquasecurity/[email protected]
	if: "! inputs.artifact"
	with:
	image-ref: ghcr.io/${{ vars.REGISTRY_IMAGE }}:${{ matrix.variant }}
	format: template
	template: '@/contrib/sarif.tpl'
	output: results.sarif

	- name: Upload scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: results.sarif

Provide feedback