ci: add docker image scanning

Author: haasonsaas

.github/workflows/ci.yaml

@@ -25,6 +25,15 @@ jobs:
         with:
           node-version: "20"
 
+      - name: Install Trivy
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y wget apt-transport-https gnupg lsb-release
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo gpg --dearmor -o /usr/share/keyrings/trivy-archive-keyring.gpg
+          echo "deb [signed-by=/usr/share/keyrings/trivy-archive-keyring.gpg] https://aquasecurity.github.io/trivy-repo/deb stable main" | sudo tee /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install -y trivy
+
       - name: Sync Python dependencies
         run: uv sync --frozen
 
@@ -33,3 +42,6 @@ jobs:
 
       - name: Run test coverage
         run: make coverage
+
+      - name: Scan Docker images
+        run: make scan-images

Makefile

@@ -35,3 +35,10 @@ audit:
 
 coverage:
 	uv run --with pytest-cov pytest --cov=src --cov-report=term-missing --cov-fail-under=85
+
+scan-images:
+	docker build -t nimbus-control-plane:ci .
+	trivy image --exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed --no-progress nimbus-control-plane:ci
+	docker build -t nimbus-ai-runner:ci containers/ai-eval-runner
+	trivy image --exit-code 1 --severity HIGH,CRITICAL --ignore-unfixed --no-progress nimbus-ai-runner:ci
+	docker image rm -f nimbus-control-plane:ci nimbus-ai-runner:ci >/dev/null 2>&1 || true