fix(ci): replace trivy-action with docker run to fix missing binary

trivy-action@v0.35.0 expects trivy pre-installed in the runner environment. Switch to docker run aquasec/trivy:0.69.3 which uses the Docker daemon already available in the pipeline. Pin version via TRIVY_IMAGE env var. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 12:03:17 +02:00 · 2026-04-16 12:03:17 +02:00 · 4a0f2e90fc
commit 4a0f2e90fc
parent e6b46087b3
1 changed files with 34 additions and 30 deletions
--- a/.forgejo/workflows/docker-build.yml
+++ b/.forgejo/workflows/docker-build.yml
@ -10,6 +10,8 @@ env:
  # whichever you use to reach it from your desktop/laptop
  FORGEJO_HOST: code.zeidler.dev
  HELM_EXPERIMENTAL_OCI: 1
  TRIVY_IMAGE: aquasec/trivy:0.69.3
 jobs:
  check-docker:
    runs-on: docker-cli
@ -50,45 +52,47 @@ jobs:
        run: docker build -t scan/proxy:latest ./proxy
      - name: Generate proxy SBOM
-        uses: aquasecurity/trivy-action@v0.35.0
+        run: |
-        with:
+          docker run --rm \
-          image-ref: scan/proxy:latest
+            -v /var/run/docker.sock:/var/run/docker.sock \
-          format: cyclonedx
+            -v "$PWD":/output \
-          output: sbom-proxy.cdx.json
+            ${{ env.TRIVY_IMAGE }} \
-          exit-code: '0'
+            image --exit-code 0 --vuln-type os,library \
-          vuln-type: os,library
+            --format cyclonedx --output /output/sbom-proxy.cdx.json \
            scan/proxy:latest
      - name: Scan proxy image
-        uses: aquasecurity/trivy-action@v0.35.0
+        run: |
-        with:
+          docker run --rm \
-          image-ref: scan/proxy:latest
+            -v /var/run/docker.sock:/var/run/docker.sock \
-          format: table
+            ${{ env.TRIVY_IMAGE }} \
-          exit-code: '1'
+            image --exit-code 1 --severity HIGH,CRITICAL \
-          severity: HIGH,CRITICAL
+            --ignore-unfixed --vuln-type os,library \
-          ignore-unfixed: true
+            --format table \
-          vuln-type: os,library
+            scan/proxy:latest
      - name: Build claude image for scanning
        run: docker build -t scan/claude:latest ./claude
      - name: Generate claude SBOM
-        uses: aquasecurity/trivy-action@v0.35.0
+        run: |
-        with:
+          docker run --rm \
-          image-ref: scan/claude:latest
+            -v /var/run/docker.sock:/var/run/docker.sock \
-          format: cyclonedx
+            -v "$PWD":/output \
-          output: sbom-claude.cdx.json
+            ${{ env.TRIVY_IMAGE }} \
-          exit-code: '0'
+            image --exit-code 0 --vuln-type os,library \
-          vuln-type: os,library
+            --format cyclonedx --output /output/sbom-claude.cdx.json \
            scan/claude:latest
      - name: Scan claude image
-        uses: aquasecurity/trivy-action@v0.35.0
+        run: |
-        with:
+          docker run --rm \
-          image-ref: scan/claude:latest
+            -v /var/run/docker.sock:/var/run/docker.sock \
-          format: table
+            ${{ env.TRIVY_IMAGE }} \
-          exit-code: '1'
+            image --exit-code 1 --severity HIGH,CRITICAL \
-          severity: HIGH,CRITICAL
+            --ignore-unfixed --vuln-type os,library \
-          ignore-unfixed: true
+            --format table \
-          vuln-type: os,library
+            scan/claude:latest
      - name: Upload SBOMs
        if: always()