name: checks-trivy
on:
  workflow_call:

jobs:
  checks-trivy:
    name: checks-trivy
    runs-on: ubuntu-latest

    steps:
      - name: Clone repo
        uses: actions/checkout@v4
      - name: Run Trivy vulnerability scanner in IaC mode (LOW/MED)
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: "config"
          hide-progress: false
          format: "table"
          exit-code: "0"
          ignore-unfixed: true
          severity: "LOW,MEDIUM"
      - name: Run Trivy vulnerability scanner in IaC mode (HIGH/CRIT)
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: "config"
          hide-progress: false
          format: "table"
          exit-code: "1"
          ignore-unfixed: true
          severity: "CRITICAL,HIGH"