Skip to content
Latchkey

GitHub Actions Workflow for Security Scanning with CodeQL and Trivy

Scan code with CodeQL and dependencies with Trivy.

This workflow runs CodeQL analysis and a Trivy filesystem scan, surfacing findings in the Security tab via SARIF.

The workflow

.github/workflows/security.yml
name: Security
on:
  push:
    branches: [main]
  schedule:
    - cron: '0 6 * * 1'
permissions:
  security-events: write
  contents: read
jobs:
  codeql:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with: { languages: javascript }
      - uses: github/codeql-action/analyze@v3
  trivy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aquasecurity/trivy-action@0.28.0
        with:
          scan-type: fs
          format: sarif
          output: trivy.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with: { sarif_file: trivy.sarif }

Notes

  • Needs security-events: write to upload SARIF.
  • CodeQL covers code-level vulnerabilities; Trivy covers dependency and config issues.
  • Run on a schedule too so new advisories are caught.

Run it cheaper

Point runs-on: at a Latchkey label to run this workflow at roughly 69% lower per-minute cost, with self-healing for transient failures.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →