ci(gha): perform trivy image scan after docker build

Author: abhisheksr01

.github/workflows/pipeline.yml

@@ -159,7 +159,7 @@ jobs:
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
           GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
-  docker-build-push:
+  docker-build-scan-push:
     if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     needs:
@@ -215,22 +215,38 @@ jobs:
             "org.opencontainers.image.created": "2020-01-10T00:30:00.000Z",
             "org.opencontainers.image.revision": ${{ github.sha }},
             "org.opencontainers.image.licenses": "MIT"
-      - name: Build and push
+      - name: Build Image
         if: ${{ steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }}
         uses: docker/build-push-action@v6
         with:
-          push: ${{ github.event_name != 'pull_request' && steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }} # Only push on main branch & when version is bumped with dryrun. We will create tags and creates separately after proper testing
+          push: false
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           sbom: true
           provenance: true
+          outputs: type=docker,dest=companieshouse.tar
+          platforms: linux/amd64
+      - name: Scan Image
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          scanners: 'vuln,secret,misconfig,license'
+      - name: Push Image
+        if: ${{ github.event_name != 'pull_request' && steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }} # Only push on main branch & when version is bumped with dryrun. We will create tags and creates separately after proper testing
+        run: |
+          docker load -i companieshouse.tar
+          docker push ${{ steps.meta.outputs.tags }}
   create-release:
     if: ${{ needs.docker-build-push.outputs.is-dryrun-version-bumped  == 'true' }} # Only release when new version is available
     runs-on: ubuntu-latest
     permissions:
       contents: write # to be able to publish a GitHub release
     needs:
-      - docker-build-push
+      - docker-build-scan-push
     environment:
       name: approve-release # Manual Approval to decide if we are ready to push tags and release
     steps: