name: Trivy Filesystem Scan

on:
    pull_request:
        branches: [main]
    workflow_dispatch:

env:
    GIT_SSL_NO_VERIFY: "true"

jobs:
    trivy-scan:
        name: Trivy FS Scan
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

            - name: Install Trivy
              run: |
                  wget -qO- https://github.com/aquasecurity/trivy/releases/download/v0.58.1/trivy_0.58.1_Linux-64bit.tar.gz | tar xz
                  chmod +x trivy

            - name: Scan filesystem
              run: ./trivy fs --severity HIGH,CRITICAL --exit-code 1 .