Bump azure/webapps-deploy from 8db8b8d14f21b245e6706fd0607244e354884697 to 45c7df8f6a4fe841b67ff88920b33f4f8328f8d9 #284

	# https://trivy.dev/latest/
	# https://github.com/aquasecurity/trivy
	# https://github.com/aquasecurity/trivy-action

	name: CIS - Trivy Container Image Scanning

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	schedule:
	- cron: 0 1 * * 0

	env:
	imageName: "webapp01"
	tag: ${{ github.sha }}

	permissions:
	contents: read # for actions/checkout to fetch code
	id-token: write
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status

	jobs:
	trivy:
	name: Trivy vulnerability scanner

	runs-on: ubuntu-latest

	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- name: Build an image from Dockerfile
	run: \|
	docker build ./src/webapp01 --file ./src/webapp01/Dockerfile --tag ${{ env.imageName }}:${{ env.tag }}

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
	with:
	image-ref: "${{ env.imageName }}:${{ env.tag }}"
	format: "sarif"
	output: "trivy-results.sarif"

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
	if: always()
	with:
	sarif_file: "trivy-results.sarif"

	- name: Upload alerts file as a workflow artifact
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: alerts
	path: "trivy-results.sarif"

Provide feedback