.github/workflows/cve-scan.yml

name: CVE Scan

on:
  push:
    branches: ["main"]
    tags: ["**"]
  pull_request:
    types:
      - opened
      - reopened
      - synchronize
  schedule:
    - cron: "14 3 * * 1-5"
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  scan:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4
        with:
          fetch-depth: 1

      - name: Cache requirements
        uses: actions/cache@v4
        env:
          cache-name: cache-requirements
        with:
          path: ~/.cache/pip
          key: ${{ env.cache-name }}-${{ hashFiles('requirements.txt') }}
          restore-keys: |
            ${{ env.cache-name }}-

      - name: Cache environment
        uses: actions/cache@v4
        env:
          cache-name: cache-environment
        with:
          path: ~/.cache/pip
          key: ${{ env.cache-name }}-${{ hashFiles('*.lock') }}
          restore-keys: |
            ${{ env.cache-name }}-

      - name: Setup python
        uses: actions/setup-python@v5
        with:
          python-version: 3.11

      - name: Install requirements
        run: make setup

      - name: Export dependencies
        run: |
          mkdir --parents pdm
          pdm export-all > pdm/requirements.txt

      - name: Run trivy
        uses: aquasecurity/trivy-action@master
        with:
          format: 'sarif'
          list-all-pkgs: 'true'
          output: 'trivy-results.sarif'
          scan-ref: '.'
          scan-type: 'fs'
          severity: 'MEDIUM,HIGH,CRITICAL'

      - name: Publish results
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'