ci: scan main Docker image with Trivy (#207)

Wenzel · web-flow · commit bda17f7f094d · 2025-09-19T06:20:04.000-07:00
diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml
@@ -52,6 +52,56 @@ jobs:
           /action/lib/linter.sh || ( echo "❗ [CT222] Super linter found an issue (possibly Hadolint)" && exit 1 )
           echo "✅ [CT222] Hadolint Dockerfile check passed"
 
+      - name: Run Trivy vulnerability scanner on repo
+        uses: aquasecurity/trivy-action@f9424c10c36e288d5fa79bd3dfd1aeb2d6eae808 # master
+        with:
+          scan-type: config
+          scan-ref: .
+          output: repo_scan_trivy_report.txt
+
+      - name: Upload Trivy Report
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          path: repo_scan_trivy_report.txt
+          name: trivy_repo_report
+
+  scan_main_container:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          lfs: false
+
+      - name: Setup Docker
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build Image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          load: true
+          tags: tsffs:latest
+          cache-to: type=gha,mode=max
+          cache-from: type=gha
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@f9424c10c36e288d5fa79bd3dfd1aeb2d6eae808 # master
+        with:
+          image-ref: tsffs:latest
+          output: main_container_trivy_report.txt
+          skip-dirs: /workspace/simics
+
+      - name: Upload Trivy Report
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          path: main_container_trivy_report.txt
+          name: trivy_container_report
+
   scan_x86_64_breakpoint_uefi_edk2_container:
     runs-on: ubuntu-latest
     steps:
diff --git a/Dockerfile b/Dockerfile
@@ -167,6 +167,5 @@ FROM fedora:42@sha256:469a32aab897bfd91f6fde78bd8f0b07507879fc63fe19d69b5298a70f
 COPY --from=tsffs-base /workspace/projects /workspace/projects
 COPY --from=tsffs-base /workspace/simics /workspace/simics
 COPY --from=tsffs-base /root/.bashrc /root/.bashrc
-COPY --from=tsffs-base /root/.cargo /root/.cargo
 
 WORKDIR /workspace/projects/example
