From 0e408eb394e139316f92c8db4f0426bc4cbcb80b Mon Sep 17 00:00:00 2001
From: Steven Bal <steven@maykinmedia.nl>
Date: Fri, 18 Oct 2024 16:22:43 +0200
Subject: [PATCH] :construction_worker: [maykinmedia/objects-api#463] Add trivy
 image scan

---
 .github/workflows/ci.yml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 048b5e0..b5e67b8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -108,3 +108,37 @@ jobs:
           name: docker-image
           path: image.tar
           retention-days: 1
+
+  image_scan:
+    runs-on: ubuntu-latest
+    name: Scan docker image
+    needs:
+      - docker_build_setup
+      - docker_build
+
+    steps:
+      # So the scanner gets commit meta-information
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Download built image
+        uses: actions/download-artifact@v4
+        with:
+          name: docker-image-all-extensions-${{ needs.docker_build_setup.outputs.version }}
+
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          input: ${{ github.workspace }}/image.tar  # from download-artifact
+          format: 'sarif'
+          output: 'trivy-results-docker.sarif'
+          ignore-unfixed: true
+        env:
+          # Uses the cache from trivy.yml workflow
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
+
+      - name: Upload results to GH Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results-docker.sarif'