fix: trivy pipeline

.gitea/workflows/publish-docker.yml

@@ -41,20 +41,25 @@ jobs:
           load: true # This loads the image into the local docker daemon for Trivy to find
           tags: local_scan_target:${{ github.sha }}
 
-      # Step 2: Scan the local image with Trivy
+#      # Step 2: Scan the local image with Trivy
-      - name: Run Trivy vulnerability scanner
+#      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+#        uses: aquasecurity/trivy-action@master
-        with:
+#        with:
-          image-ref: 'local_scan_target:${{ github.sha }}'
+#          image-ref: 'local_scan_target:${{ github.sha }}'
-          format: 'table'
+#          format: 'table'
-          exit-code: '1' # This will fail the pipeline if vulnerabilities are found
+#          exit-code: '1' # This will fail the pipeline if vulnerabilities are found
-          ignore-unfixed: true
+#          ignore-unfixed: true
-          vuln-type: 'os,library'
+#          vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH'
+#          severity: 'CRITICAL,HIGH'
-          github-pat: ""
+#          github-pat: ""
-        env:
+#        env:
-          - TRIVY_USERNAME: ${{ secrets.PACKAGE_USER }}
+#          - TRIVY_USERNAME: ${{ secrets.PACKAGE_USER }}
-          - TRIVY_PASSWORD: ${{ secrets.PACKAGE_TOKEN }}
+#          - TRIVY_PASSWORD: ${{ secrets.PACKAGE_TOKEN }}
+
+      - name: Run Trivy scanner (Binary Mode)
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+          trivy image --exit-code 1 --severity CRITICAL,HIGH --ignore-unfixed local_scan_target:${{ github.sha }}
 
       # Step 3: If scan passes, Build and Push to Registry
       - name: Build and push Docker image