99permissions :
1010 contents : read
1111 packages : write
12+ security-events : write # Required if you want to upload scan results to GitHub Security tab
1213
1314jobs :
1415 build-test :
4647 BRANCH_NAME=${GITHUB_REF#refs/heads/}
4748 echo "name=${BRANCH_NAME}" >> $GITHUB_OUTPUT
4849
50+ # --- NEW STEP: Required for advanced Docker caching and building ---
51+ - name : Set up Docker Buildx
52+ uses : docker/setup-buildx-action@v3
53+
4954 - name : Docker meta
5055 id : meta
5156 uses : docker/metadata-action@v5
@@ -55,13 +60,33 @@ jobs:
5560 type=raw,value=${{ steps.branch.outputs.name }}-{{sha}},enable=true
5661 type=raw,value=latest,enable={{is_default_branch}}
5762
63+ # --- NEW STEP: Build locally for scanning (Don't push yet) ---
64+ - name : Build and export to Docker
65+ uses : docker/build-push-action@v5
66+ with :
67+ context : .
68+ load : true # This loads the image into the local Docker daemon
69+ tags : local-image-scan:latest # A temporary tag just for scanning
70+
71+ # --- NEW STEP: Run the Security Scan ---
72+ - name : Run Trivy vulnerability scanner
73+ uses : aquasecurity/trivy-action@0.20.0
74+ with :
75+ image-ref : ' local-image-scan:latest'
76+ format : ' table'
77+ exit-code : ' 1' # Fail the build if vulnerabilities are found
78+ ignore-unfixed : true # Don't fail on bugs that have no patch yet
79+ vuln-type : ' os,library'
80+ severity : ' CRITICAL,HIGH' # Only fail on Critical and High issues
81+
5882 - name : Log in to GHCR
5983 uses : docker/login-action@v3
6084 with :
6185 registry : ghcr.io
6286 username : ${{ github.actor }}
6387 password : ${{ secrets.GITHUB_TOKEN }}
6488
89+ # Actual Push Step (Uses cache from previous build step)
6590 - name : Build and push Docker image
6691 uses : docker/build-push-action@v5
6792 with :
0 commit comments