devpod-terraform/.github/workflows/codescanning.yaml

name: build
on:
  push:
    branches:
      - main
      - devpod
  pull_request:
jobs:
  build:
    name: Build
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy scanner
        uses: aquasecurity/trivy-action@0.28.0
        with:
          scan-type: config
          hide-progress: true
          output: trivy.txt
          exit-code: '1'
          severity: 'CRITICAL,HIGH'
          github-pat: {{ secret.PLT_GIT }}
          
      - name: Publish Trivy Output to Summary
        run: |
          if [[ -s trivy.txt ]]; then
            {
              echo "### Security Output"
              echo "<details><summary>Click to expand</summary>"
              echo ""
              echo '```terraform'
              cat trivy.txt
              echo '```'
              echo "</details>"
            } >> $GITHUB_STEP_SUMMARY
          fi