From 530def213bd5679c15a7fd2a4c20d1b8367da857 Mon Sep 17 00:00:00 2001 From: docker-claude Date: Thu, 16 Apr 2026 11:53:16 +0200 Subject: [PATCH] feat(ci): add Trivy container security scanning before push Add a scan job between check-docker and build-and-push. Builds each image locally (no push, current platform only), runs Trivy v0.35.0 against it, and fails on unfixed HIGH/CRITICAL CVEs. build-and-push only runs if both scans pass. Co-Authored-By: Claude Sonnet 4.6 --- .forgejo/workflows/docker-build.yml | 36 +++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/.forgejo/workflows/docker-build.yml b/.forgejo/workflows/docker-build.yml index 3f76b5d..12af44d 100644 --- a/.forgejo/workflows/docker-build.yml +++ b/.forgejo/workflows/docker-build.yml @@ -33,7 +33,43 @@ jobs: fi done + scan: + needs: check-docker + runs-on: docker-cli + services: + docker: + image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest + options: --privileged + container: + image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest + steps: + - name: Checkout the repo + uses: actions/checkout@v4 + - name: Build proxy image for scanning + run: docker build -t scan/proxy:latest ./proxy + - name: Scan proxy image + uses: aquasecurity/trivy-action@v0.35.0 + with: + image-ref: scan/proxy:latest + format: table + exit-code: '1' + severity: HIGH,CRITICAL + ignore-unfixed: true + vuln-type: os,library + - name: Build claude image for scanning + run: docker build -t scan/claude:latest ./claude + - name: Scan claude image + uses: aquasecurity/trivy-action@v0.35.0 + with: + image-ref: scan/claude:latest + format: table + exit-code: '1' + severity: HIGH,CRITICAL + ignore-unfixed: true + vuln-type: os,library + build-and-push: + needs: scan runs-on: docker-cli services: docker: