feat(ci): add Trivy container security scanning before push

Add a scan job between check-docker and build-and-push. Builds each image locally (no push, current platform only), runs Trivy v0.35.0 against it, and fails on unfixed HIGH/CRITICAL CVEs. build-and-push only runs if both scans pass. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 11:53:16 +02:00 · 2026-04-16 11:53:16 +02:00 · 530def213b
commit 530def213b
parent cf50570733
1 changed files with 36 additions and 0 deletions
--- a/.forgejo/workflows/docker-build.yml
+++ b/.forgejo/workflows/docker-build.yml
@ -33,7 +33,43 @@ jobs:
            fi
          done

+  scan:
+    needs: check-docker
+    runs-on: docker-cli
+    services:
+      docker:
+        image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
+        options: --privileged
+    container:
+      image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@v4
+      - name: Build proxy image for scanning
+        run: docker build -t scan/proxy:latest ./proxy
+      - name: Scan proxy image
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: scan/proxy:latest
+          format: table
+          exit-code: '1'
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          vuln-type: os,library
+      - name: Build claude image for scanning
+        run: docker build -t scan/claude:latest ./claude
+      - name: Scan claude image
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: scan/claude:latest
+          format: table
+          exit-code: '1'
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          vuln-type: os,library
+
  build-and-push:
+    needs: scan
    runs-on: docker-cli
    services:
      docker: