ci: using trivy in place of syft and grype

Author: Tbaile

.github/workflows/scans.yml

@@ -14,23 +14,22 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
-      - name: Generate
-        uses: anchore/sbom-action@v0
+      - name: Update Dependency Graph
+        uses: aquasecurity/trivy-action@0.28.0
         with:
-          output-file: sbom.spdx.json
-          dependency-snapshot: true
-      - name: Scan
-        uses: anchore/scan-action@v6
-        id: scan
+          scan-type: fs
+          scan-ref: .
+          format: github
+          output: sbom.spdx.json
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate Sarif Report
+        uses: aquasecurity/[email protected]
         with:
-          sbom: sbom.spdx.json
-          fail-build: false
+          scan-type: fs
+          scan-ref: .
+          format: sarif
+          output: trivy.sarif.json
       - name: Upload report to GitHub
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
-      - name: Upload SARIF artifact
-        uses: actions/upload-artifact@v4
-        with:
-          path: ${{ steps.scan.outputs.sarif }}
-          name: sarif-report
+          sarif_file: trivy.sarif.json