Merge pull request #398 from stefanprodan/govulncheck

Run CVE scan with govulncheck

Author: stefanprodan

.github/workflows/cve-scan.yml

@@ -1,31 +1,23 @@
 name: cve-scan
 
 on:
+  workflow_dispatch:
   push:
     branches:
       - "master"
+  pull_request:
+    branches:
+      - "master"
 
 permissions:
   contents: read
 
 jobs:
-  trivy:
+  govulncheck:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Build image
-        id: build
-        run: |
-          IMAGE=test/podinfo:${GITHUB_SHA}
-          docker build -t ${IMAGE} .
-          echo "image=$IMAGE" >> $GITHUB_OUTPUT
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@v0.30.0
-        with:
-          image-ref: ${{ steps.build.outputs.image }}
-          format: table
-          exit-code: "1"
-          ignore-unfixed: true
-          vuln-type: os,library
-          severity: CRITICAL,HIGH
+      - name: Vulnerability scan
+        id: govulncheck
+        uses: golang/govulncheck-action@v1

README.md

@@ -25,7 +25,7 @@ Specifications:
 * Multi-arch container image with Docker buildx and GitHub Actions
 * Container image signing with Sigstore cosign
 * SBOMs and SLSA Provenance embedded in the container image
-* CVE scanning with Trivy
+* CVE scanning with govulncheck
 
 Web API: