From 3dadef436e940616741ec3f28060b4ca229c7e8a Mon Sep 17 00:00:00 2001
From: April John <aprl@acab.dev>
Date: Tue, 11 Feb 2025 14:21:33 +0100
Subject: [PATCH] add docker image scanning

---
 .github/workflows/docker-publish.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 0fad632..cc93b35 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -58,6 +58,15 @@ jobs:
         run: nix build .#ociImage
       - name: Load Docker image
         run: docker load < result
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: 'ghcr.io/$IMAGE_NAME'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
       - name: Push image to registry
         if: github.event_name != 'pull_request'
         run: docker push ghcr.io/$IMAGE_NAME -a