# LAB ONLY
# 用途: 文件系统、配置与秘密扫描
# 目标范围: 自有代码仓和实验目录
# 风险: 可能报告历史样例、测试密钥或教学用漏洞文件
# 不适用: 未经白名单梳理直接作为生产阻断策略
name: trivy-fs

on:
  push:
    branches:
      - main
  workflow_dispatch:

permissions:
  contents: read

jobs:
  trivy-fs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin

      - name: Scan repository
        run: |
          trivy fs \
            --scanners vuln,secret,config \
            --severity HIGH,CRITICAL \
            --exit-code 0 \
            .