scan.yml

name: Scan

on:
  workflow_call:
    inputs:
      repository:
        required: true
        type: string
      commit:
        required: true
        type: string
    secrets:
      DOCKER_HUB_USERNAME:
        required: true
      DOCKER_HUB_PASSWORD:
        required: true

jobs:

  scan:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout
      uses: actions/checkout@v4.2.2

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3.7.1

    - name: Login to DockerHub
      uses: docker/login-action@v3.3.0
      with:
        username: ${{ secrets.DOCKER_HUB_USERNAME }}
        password: ${{ secrets.DOCKER_HUB_PASSWORD }}

    - name: Set image name
      id: setimagename
      env:
        REPOSITORY: ${{ inputs.repository }}
        COMMIT: ${{ inputs.commit }}
      run: |
          echo "Image name: $REPOSITORY:$COMMIT"
          echo "imagename=$REPOSITORY:$COMMIT" >> $GITHUB_OUTPUT

    - name: Build the image
      id: buildimage
      uses: docker/build-push-action@v6.9.0
      with:
        load: true
        context: ./
        file: ./Dockerfile
        push: false
        tags: ${{ steps.setimagename.outputs.imagename }}

    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@0.29.0
      env:
        TRIVY_DB_REPOSITORY: "aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2"
        TRIVY_JAVA_DB_REPOSITORY: "aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1"
      with:
        image-ref: '${{ steps.setimagename.outputs.imagename }}'
        format: 'table'
        exit-code: '1'
        ignore-unfixed: true
        vuln-type: 'os,library'
        severity: 'CRITICAL'