the-other-dude/.github/workflows/security-scan.yml

name: Container Security Scan

on:
  push:
    branches: [main, master]
  pull_request:
    branches: [main, master]

jobs:
  trivy-scan:
    name: Trivy Container Scan
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      # Build and scan each container image sequentially to avoid OOM.
      # Scans are BLOCKING (exit-code: 1) — HIGH/CRITICAL CVEs fail the pipeline.
      # Add base-image CVEs to .trivyignore with justification if needed.

      - name: Build API image
        run: docker build -f infrastructure/docker/Dockerfile.api -t mikrotik-api:scan .

      - name: Scan API image
        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: "mikrotik-api:scan"
          format: "table"
          exit-code: "1"
          severity: "HIGH,CRITICAL"
          trivyignores: ".trivyignore"

      - name: Build Poller image
        run: docker build -f poller/Dockerfile -t mikrotik-poller:scan ./poller

      - name: Scan Poller image
        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: "mikrotik-poller:scan"
          format: "table"
          exit-code: "1"
          severity: "HIGH,CRITICAL"
          trivyignores: ".trivyignore"

      - name: Build Frontend image
        run: docker build -f infrastructure/docker/Dockerfile.frontend -t mikrotik-frontend:scan .

      - name: Scan Frontend image
        uses: aquasecurity/trivy-action@0.33.1
        with:
          image-ref: "mikrotik-frontend:scan"
          format: "table"
          exit-code: "1"
          severity: "HIGH,CRITICAL"
          trivyignores: ".trivyignore"