Security #641

	name: Security

	on:
	schedule:
	- cron: "30 5 * * MON-FRI" # Every weekday at 05:30 UTC
	workflow_dispatch:
	push:
	branches:
	- main
	paths:
	- '**/.trivyignore'

	jobs:
	check-dependencies:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: ./.github/actions/setup

	- name: Build image
	run: ./gradlew bootBuildImage --info --build-cache
	env:
	ORG_GRADLE_PROJECT_version: local

	- name: Scan image
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
	with:
	image-ref: delius-user-management:local
	ignore-unfixed: true
	severity: CRITICAL,HIGH
	exit-code: 0
	format: sarif
	output: trivy-results.sarif
	limit-severities-for-sarif: true
	env:
	TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
	TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1

	- name: Upload Trivy scan results to GitHub Security
	uses: github/codeql-action/upload-sarif@v3
	if: always()
	with:
	sarif_file: trivy-results.sarif

Provide feedback