trivy dependency check for package.json #190

	name: trivy dependency check for package.json
	# https://github.com/aquasecurity/trivy-action#usage
	# TODO: aquaを使ってインストールして使う形にしたほうがわかりやすいかも
	on:
	push:
	paths:
	- "package.json"
	- ".github/workflows/react-dependency-check.yaml"
	schedule:
	# 日曜日の午前0時に実行
	- cron: '0 0 * * 0'

	defaults:
	run:
	shell: bash

	jobs:
	trivy-scan:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write

	steps:
	- name: clone application source code
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: use trivy
	uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0
	with:
	scan-type: 'fs'
	#exit-code: 1
	scanners: 'vuln'
	vuln-type: 'library'
	hide-progress: true
	format: 'sarif'
	output: 'sca-report.sarif'
	severity: 'CRITICAL,HIGH'

	- name: save report as pipeline artifact
	uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
	with:
	name: sca-report.sarif
	path: sca-report.sarif

	- name: publish trivy alerts
	uses: github/codeql-action/upload-sarif@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10
	with:
	sarif_file: 'sca-report.sarif'
	category: trivy

Provide feedback