chore/security : add image scanning on release

Issam Kadar · Issam Kadar · commit 83a7677937ef · 2025-11-17T11:23:06.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -79,3 +79,19 @@ jobs:
           platforms: linux/amd64
           tags: ghcr.io/${{ github.repository_owner }}/hub-converter:${{ steps.extract_info.outputs.version }}
           context: ./converter
+
+      - name: Run Trivy vulnerability scanner on converter image
+        if: steps.extract_info.outputs.project == 'converter'
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/hub-converter:${{ steps.extract_info.outputs.version }}
+          format: sarif
+          output: trivy-image-results.sarif
+          severity: 'CRITICAL,HIGH,MEDIUM'
+
+      - name: Upload Trivy image scan results to GitHub Security tab
+        if: steps.extract_info.outputs.project == 'converter'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-image-results.sarif
+          category: trivy-converter-image
