From 4dde0beec8ac4781e9da3e43fcb27eb26c7d1a92 Mon Sep 17 00:00:00 2001
From: Timo Behrendt <t.behrendt@t00n.de>
Date: Thu, 26 Feb 2026 21:13:29 +0100
Subject: [PATCH] feat: add fs scan

---
 .gitea/workflows/run-trivy-scan.yaml | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/run-trivy-scan.yaml b/.gitea/workflows/run-trivy-scan.yaml
index d6486b1..aff7393 100644
--- a/.gitea/workflows/run-trivy-scan.yaml
+++ b/.gitea/workflows/run-trivy-scan.yaml
@@ -23,6 +23,11 @@ on:
         required: false
         type: string
         default: ""
+      scan-fs:
+        description: "Run Trivy file system scan on the repository root."
+        required: false
+        type: boolean
+        default: false
     outputs:
       merged-sarif-artifact:
         description: "Artifact name containing the merged SARIF file (download this artifact; file inside is merged-sarif.json)."
@@ -110,9 +115,25 @@ jobs:
           name: image-sarif
           path: image-sarif.json
 
+  fs-scan:
+    if: inputs.scan-fs
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.4
+      - uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.4
+      - run: |
+          trivy fs --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output fs-sarif.json --scanners vuln .
+        env:
+          TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
+      - uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
+        with:
+          name: fs-sarif
+          path: fs-sarif.json
+  
   merge:
     runs-on: ubuntu-latest
-    needs: [config-scan, image-scan]
+    needs: [config-scan, image-scan, fs-scan]
     if: always() && (needs.config-scan.result == 'success' || needs.config-scan.result == 'skipped') && (needs.image-scan.result == 'success' || needs.image-scan.result == 'skipped') && (inputs.scan-config || inputs.scan-images)
     outputs:
       merged-sarif-artifact: ${{ steps.outputs.outputs.merged-sarif-artifact }}
@@ -145,6 +166,9 @@ jobs:
           if [ "${{ inputs.scan-images }}" = "true" ] && [ -f image-sarif-artifact/image-sarif.json ]; then
             [ -n "$files" ] && files="$files"$'\n'"  - image-sarif-artifact/image-sarif.json" || files="- image-sarif-artifact/image-sarif.json"
           fi
+          if [ "${{ inputs.scan-fs }}" = "true" ] && [ -f fs-sarif-artifact/fs-sarif.json ]; then
+            [ -n "$files" ] && files="$files"$'\n'"  - fs-sarif-artifact/fs-sarif.json" || files="- fs-sarif-artifact/fs-sarif.json"
+          fi
           echo "files<<EOF" >> "$GITHUB_OUTPUT"
           echo "$files" >> "$GITHUB_OUTPUT"
           echo "EOF" >> "$GITHUB_OUTPUT"