Security Scan #59

	# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
	# SPDX-License-Identifier: Apache-2.0

	name: Security Scan

	on:
	pull_request:
	branches: [ main ]
	schedule:
	- cron: '0 0 * * 0' # Run weekly on Sundays at midnight

	permissions:
	contents: read

	jobs:
	trivy-scan:
	name: Trivy Security Scan
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

	- name: Run Trivy vulnerability scanner in repo mode
	uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
	with:
	scan-type: 'fs'
	ignore-unfixed: true
	format: 'table'
	exit-code: '1'
	severity: 'CRITICAL,HIGH'

	- name: Run Trivy vulnerability scanner in IaC mode
	uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
	with:
	scan-type: 'config'
	hide-progress: false
	format: 'table'
	exit-code: '1'
	severity: 'CRITICAL,HIGH'

Provide feedback