GitHub Actions Workflow for Security Scanning with CodeQL and Trivy
Scan code with CodeQL and dependencies with Trivy.
This workflow runs CodeQL analysis and a Trivy filesystem scan, surfacing findings in the Security tab via SARIF.
The workflow
.github/workflows/security.yml
name: Security
on:
push:
branches: [main]
schedule:
- cron: '0 6 * * 1'
permissions:
security-events: write
contents: read
jobs:
codeql:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: github/codeql-action/init@v3
with: { languages: javascript }
- uses: github/codeql-action/analyze@v3
trivy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: fs
format: sarif
output: trivy.sarif
- uses: github/codeql-action/upload-sarif@v3
with: { sarif_file: trivy.sarif }Notes
- Needs
security-events: writeto upload SARIF. - CodeQL covers code-level vulnerabilities; Trivy covers dependency and config issues.
- Run on a schedule too so new advisories are caught.
Run it cheaper
Point runs-on: at a Latchkey label to run this workflow at roughly 69% lower per-minute cost, with self-healing for transient failures.
Related guides
How to Speed Up GitHub Actions: 9 High-Impact TacticsMake GitHub Actions faster: caching, parallelization, test splitting, Docker layer caching, slimmer images, a…
How to Use Secrets in GitHub Actions SafelyUse GitHub Actions secrets correctly - repo vs environment vs org secrets, why forks can not read them, and h…