ci(gha): perform trivy image scan after docker build

abhisheksr01 · abhisheksr01 · commit fc37b9b73627 · 2025-09-07T01:11:05.000+01:00
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -159,7 +159,7 @@ jobs:
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
           GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
-  docker-build-push:
+  docker-build-scan-push:
     if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     needs:
@@ -212,25 +212,42 @@ jobs:
             "org.opencontainers.image.url": "https://github.com/abhisheksr01/spring-boot-microservice-best-practices",
             "org.opencontainers.image.source": "https://github.com/abhisheksr01/spring-boot-microservice-best-practices",
             "org.opencontainers.image.version": ${{ steps.bump-version.outputs.bump-version }},
-            "org.opencontainers.image.created": "2020-01-10T00:30:00.000Z",
+            "org.opencontainers.image.created": "$(date +"%Y%m%d%H%M%S")",
             "org.opencontainers.image.revision": ${{ github.sha }},
             "org.opencontainers.image.licenses": "MIT"
-      - name: Build and push
+      - name: Build Image
         if: ${{ steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }}
         uses: docker/build-push-action@v6
         with:
-          push: ${{ github.event_name != 'pull_request' && steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }} # Only push on main branch & when version is bumped with dryrun. We will create tags and creates separately after proper testing
+          push: false
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           sbom: true
           provenance: true
+          outputs: type=oci,dest=companieshouse.tar
+          platforms: linux/amd64
+      - name: Scan Image
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: companieshouse.tar
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          scanners: 'vuln,secret,misconfig,license'
+      - name: Push Image
+        if: ${{ github.event_name != 'pull_request' && steps.bump-version.outputs.is-dryrun-version-bumped == 'true' }} # Only push on main branch & when version is bumped with dryrun. We will create tags and creates separately after proper testing
+        run: |
+          buildctl image import < companieshouse.tar
+          buildctl image push --name ${{ steps.meta.outputs.tags }}
+
   create-release:
     if: ${{ needs.docker-build-push.outputs.is-dryrun-version-bumped  == 'true' }} # Only release when new version is available
     runs-on: ubuntu-latest
     permissions:
       contents: write # to be able to publish a GitHub release
     needs:
-      - docker-build-push
+      - docker-build-scan-push
     environment:
       name: approve-release # Manual Approval to decide if we are ready to push tags and release
     steps:
