--- name: Security # yamllint disable-line rule:truthy on: workflow_dispatch: schedule: - cron: "42 05 * * *" concurrency: group: ${{ github.workflow }} cancel-in-progress: false permissions: contents: read jobs: container: if: github.repository_owner == 'searxng' name: Container runs-on: ubuntu-24.04-arm permissions: security-events: write steps: - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: "false" - name: Sync GHCS from Docker Scout uses: docker/scout-action@ce97ec1bb85613e8eb35d086fad0c77a6cedf983 # v1.23.0 with: organization: "searxng" dockerhub-user: "${{ secrets.DOCKER_USER }}" dockerhub-password: "${{ secrets.DOCKER_TOKEN }}" image: "registry://ghcr.io/searxng/searxng:latest" command: "cves" sarif-file: "./scout.sarif" exit-code: "false" write-comment: "false" - name: Upload SARIFs uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 with: sarif_file: "./scout.sarif"