diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
new file mode 100644
index 0000000..90a1f93
--- /dev/null
+++ b/.github/workflows/trivy.yaml
@@ -0,0 +1,29 @@
+# This is a basic workflow to help you get started with Actions
+
+name: Trivy Scan
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the master branch
+on:
+ pull_request:
+ branches: [master]
+ types: [opened, synchronize, reopened]
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+ # This workflow contains a single job called "trivy"
+ trivy:
+ # The type of runner that the job will run on
+ runs-on: [self-hosted, linux, codebuild]
+
+ # Steps represent a sequence of tasks that will be executed as part of the job
+ steps:
+ # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+ - uses: actions/checkout@v3
+
+ - name: Run Trivy vulnerability scanner in repo mode
+ uses: aquasecurity/trivy-action@0.28.0
+ with:
+ scan-type: "fs"
+ scan-ref: "${{ github.workspace }}"
+ trivy-config: "${{ github.workspace }}/trivy.yml"
diff --git a/README.md b/README.md
index 8b72233..f58b753 100644
--- a/README.md
+++ b/README.md
@@ -9,9 +9,6 @@
-
-
-
diff --git a/trivy.yml b/trivy.yml
new file mode 100644
index 0000000..d855a42
--- /dev/null
+++ b/trivy.yml
@@ -0,0 +1,16 @@
+format: table
+exit-code: 1
+severity:
+ - HIGH
+ - CRITICAL
+skip-files:
+ - db.env
+security-checks:
+ - vuln
+ - secret
+ - license
+vulnerability:
+ type:
+ - os
+ - library
+ ignore-unfixed: true