Scan images with Trivy (#142)

moubctez · web-flow · commit 45cbaf6be84c · 2025-08-25T11:28:47.000+02:00
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
@@ -68,6 +68,16 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH,MEDIUM"
+
   docker-manifest:
     runs-on: [self-hosted, Linux]
 
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -48,10 +48,9 @@ tower_governor = "0.4"
 # UI embedding
 rust-embed = { version = "8.5", features = ["include-exclude"] }
 mime_guess = "2.0"
-base64 = "0.22.1"
-tower = "0.5.2"
-futures = "0.3.31"
-futures-util = "0.3.31"
+base64 = "0.22"
+tower = "0.5"
+futures-util = "0.3"
 
 [build-dependencies]
 tonic-prost-build = "0.14"
diff --git a/Dockerfile b/Dockerfile
@@ -10,7 +10,7 @@ COPY web/ .
 RUN pnpm run generate-translation-types
 RUN pnpm build
 
-FROM rust:1.87 AS chef
+FROM rust:1 AS chef
 
 WORKDIR /build
 
@@ -42,7 +42,7 @@ COPY proto proto
 RUN cargo install --locked --path . --root /build
 
 # run
-FROM debian:bookworm-slim AS runtime
+FROM debian:13-slim AS runtime
 RUN apt-get update -y && \
     apt-get install --no-install-recommends -y ca-certificates && \
     rm -rf /var/lib/apt/lists/*
