monoadmin/the-other-dude
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cfa18a4095cc0e3fad997e9124ae6ee9f83f6b52
the-other-dude/.github/workflows/security-scan.yml
Jason Staack cfa18a4095 refactor: rename remaining mikrotik references to tod across CI, helm, frontend, and observability 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 12:03:51 -05:00

57 lines
1.6 KiB
YAML
Raw Blame History

name: Container Security Scan
on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
jobs:
trivy-scan:
name: Trivy Container Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
# Build and scan each container image sequentially to avoid OOM.
# Scans are BLOCKING (exit-code: 1) — HIGH/CRITICAL CVEs fail the pipeline.
# Add base-image CVEs to .trivyignore with justification if needed.
- name: Build API image
run: docker build -f infrastructure/docker/Dockerfile.api -t tod-api:scan .
- name: Scan API image
uses: aquasecurity/trivy-action@0.33.1
with:
image-ref: "tod-api:scan"
format: "table"
exit-code: "1"
severity: "HIGH,CRITICAL"
trivyignores: ".trivyignore"
- name: Build Poller image
run: docker build -f poller/Dockerfile -t tod-poller:scan ./poller
- name: Scan Poller image
uses: aquasecurity/trivy-action@0.33.1
with:
image-ref: "tod-poller:scan"
format: "table"
exit-code: "1"
severity: "HIGH,CRITICAL"
trivyignores: ".trivyignore"
- name: Build Frontend image
run: docker build -f infrastructure/docker/Dockerfile.frontend -t tod-frontend:scan .
- name: Scan Frontend image
uses: aquasecurity/trivy-action@0.33.1
with:
image-ref: "tod-frontend:scan"
format: "table"
exit-code: "1"
severity: "HIGH,CRITICAL"
trivyignores: ".trivyignore"
Reference in New Issue View Git Blame Copy Permalink