Add Trivy to CI workflow for Docker image vulnerability scanning #40
Description
Description
So much can happen when we build containers with a set of tools, base images, and permissions embedded in them. Even with the best intentions, security issues arise regularly. They have to be prevented as soon as possible, which is why security checks are already embedded in the CI workflow.
What's not found currently is scanning the container that would run in production. For instance, #39 was created due to a huge security issue that needed to be resolved. In the context of this issue, I'm planning to investigate a container scanning tool called Trivy from Aqua
This step will ensure that critical or high-severity vulnerabilities in the base image or dependencies are detected before deployment.
Tasks
- Add a new docker-scan job in the CI pipeline that:
- Runs Trivy to scan the Docker image built in the docker-check job.
- Configure Trivy to scan for vulnerabilities with high and critical severity.
- Set up the job to run only after the docker-check job completes successfully.
- Ensure the CI workflow fails if vulnerabilities are detected with HIGH or CRITICAL severity.