From c32920cc8e4a7f7b21bb648acd0ff6481edd604f Mon Sep 17 00:00:00 2001
From: Dries De Peuter <dries@stenic.io>
Date: Thu, 9 Feb 2023 23:54:08 +0100
Subject: [PATCH] ci: Add trivy scan to docker build

---
 .github/workflows/test.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index a214e59..808c5e8 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -23,6 +23,8 @@ jobs:
         with:
           push: false
           tags: 'ledger:${{ github.sha }}'
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
@@ -30,6 +32,8 @@ jobs:
           image-ref: 'ledger:${{ github.sha }}'
           format: 'sarif'
           output: 'trivy-results.sarif'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2