99permissions :
1010 contents : read
1111 packages : write
12+ security-events : write # Required if you want to upload scan results to GitHub Security tab
1213
1314jobs :
1415 build-test :
3738 BRANCH_NAME=${GITHUB_REF#refs/heads/}
3839 echo "name=${BRANCH_NAME}" >> $GITHUB_OUTPUT
3940
41+ # --- NEW STEP: Required for advanced Docker caching and building ---
42+ - name : Set up Docker Buildx
43+ uses : docker/setup-buildx-action@v3
44+
4045 - name : Docker meta
4146 id : meta
4247 uses : docker/metadata-action@v5
@@ -46,13 +51,33 @@ jobs:
4651 type=raw,value=${{ steps.branch.outputs.name }}-{{sha}},enable=true
4752 type=raw,value=latest,enable={{is_default_branch}}
4853
54+ # --- NEW STEP: Build locally for scanning (Don't push yet) ---
55+ - name : Build and export to Docker
56+ uses : docker/build-push-action@v5
57+ with :
58+ context : .
59+ load : true # This loads the image into the local Docker daemon
60+ tags : local-image-scan:latest # A temporary tag just for scanning
61+
62+ # --- NEW STEP: Run the Security Scan ---
63+ - name : Run Trivy vulnerability scanner
64+ uses : aquasecurity/trivy-action@0.20.0
65+ with :
66+ image-ref : ' local-image-scan:latest'
67+ format : ' table'
68+ exit-code : ' 1' # Fail the build if vulnerabilities are found
69+ ignore-unfixed : true # Don't fail on bugs that have no patch yet
70+ vuln-type : ' os,library'
71+ severity : ' CRITICAL,HIGH' # Only fail on Critical and High issues
72+
4973 - name : Log in to GHCR
5074 uses : docker/login-action@v3
5175 with :
5276 registry : ghcr.io
5377 username : ${{ github.actor }}
5478 password : ${{ secrets.GITHUB_TOKEN }}
5579
80+ # Actual Push Step (Uses cache from previous build step)
5681 - name : Build and push Docker image
5782 uses : docker/build-push-action@v5
5883 with :
0 commit comments