From 6db2590d7615fe389506c8b38e893fcfa12d1635 Mon Sep 17 00:00:00 2001
From: Manuel Puchta <manuel.puchta@digitalservice.bund.de>
Date: Thu, 28 Nov 2024 18:01:56 +0100
Subject: [PATCH] Switch to image scan for trivy scan

---
 .github/workflows/scan.yml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 341c29e..e6ccff8 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -7,6 +7,11 @@ on:
   workflow_dispatch:
   workflow_call:
 
+env:
+  CONTAINER_REGISTRY: ghcr.io
+  CONTAINER_IMAGE_NAME: ${{ github.repository }}
+  CONTAINER_IMAGE_VERSION: ${{ github.sha }}
+
 jobs:
   vulnerability-scan:
     runs-on: ubuntu-latest
@@ -31,15 +36,14 @@ jobs:
           # Specify multiple registries: try default GitHub registry, if too many requests, use the aws mirror.
           TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
         with:
-          scanners: "vuln"
-          scan-type: "fs"
+          image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
           format: "sarif"
           # By default SARIF format enforces output of all vulnerabilities regardless of configured severities.
           # To override this set limit-severities-for-sarif to true.
-          limit-severities-for-sarif: true
+          # limit-severities-for-sarif: true
           output: "trivy-results.sarif"
-          severity: "CRITICAL,HIGH"
-          exit-code: "1" # Fail the build!
+          # severity: "CRITICAL,HIGH"
+          # exit-code: "1" # Fail the build!
 
       - name: Check trivy results
         run: |