feat: Update CI workflow to include Docker Buildx setup and Trivy security scan

RandithaK · RandithaK · commit bdd6e6cf776c · 2025-12-17T01:43:23.000+05:30
diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
@@ -9,6 +9,7 @@ on:
 permissions:
   contents: read
   packages: write
+  security-events: write # Required if you want to upload scan results to GitHub Security tab
 
 jobs:
   build-test:
@@ -41,7 +42,7 @@ jobs:
         run: npm run lint
 
       - name: SonarQube Scan
-        uses: SonarSource/sonarqube-scan-action@v4
+        uses: SonarSource/sonarqube-scan-action@v6
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -55,6 +56,10 @@ jobs:
           BRANCH_NAME=${GITHUB_REF#refs/heads/}
           echo "name=${BRANCH_NAME}" >> $GITHUB_OUTPUT
 
+      # --- NEW STEP: Required for advanced Docker caching and building ---
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -64,13 +69,33 @@ jobs:
             type=raw,value=${{ steps.branch.outputs.name }}-{{sha}},enable=true
             type=raw,value=latest,enable={{is_default_branch}}
 
+      # --- NEW STEP: Build locally for scanning (Don't push yet) ---
+      - name: Build and export to Docker
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          load: true # This loads the image into the local Docker daemon
+          tags: local-image-scan:latest # A temporary tag just for scanning
+
+      # --- NEW STEP: Run the Security Scan ---
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          image-ref: 'local-image-scan:latest'
+          format: 'table'
+          exit-code: '0'          # Fail the build if vulnerabilities are found
+          ignore-unfixed: true    # Don't fail on bugs that have no patch yet
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH' # Only fail on Critical and High issues
+
       - name: Log in to GHCR
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      # Actual Push Step (Uses cache from previous build step)
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
@@ -85,4 +110,4 @@ jobs:
           echo "**Tags pushed:**" >> $GITHUB_STEP_SUMMARY
           echo '```' >> $GITHUB_STEP_SUMMARY
           echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
-          echo '```' >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
