From 88c8229588bb4384cd8ff8e38c3eac4edfeefcb4 Mon Sep 17 00:00:00 2001
From: Thomas Ferrandiz <thomas.ferrandiz@suse.com>
Date: Thu, 12 Dec 2024 09:48:22 +0000
Subject: [PATCH] Add trivy vulnerability scanner in build step

Signed-off-by: Thomas Ferrandiz <thomas.ferrandiz@suse.com>
---
 .github/workflows/image-build.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml
index e20b74116..6693ae7b7 100644
--- a/.github/workflows/image-build.yml
+++ b/.github/workflows/image-build.yml
@@ -53,6 +53,22 @@ jobs:
           tags: ghcr.io/${{ github.repository }}:latest-amd64-thick
           file: images/Dockerfile.thick
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: ghcr.io/${{ github.repository }}:latest-amd64-thick
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
   build-origin:
     name: Image build/origin
     runs-on: ubuntu-latest