--- name: Build, Scan and Publish Docker Image on: push: branches: - main tags: - 'v*' jobs: build-and-push: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Log in to Gitea Container Registry uses: docker/login-action@v3 with: registry: git.br0tkasten.de username: ${{ secrets.PACKAGE_USER }} password: ${{ secrets.PACKAGE_TOKEN }} - name: Extract metadata (tags, labels) for Docker id: meta uses: docker/metadata-action@v5 with: images: git.br0tkasten.de/${{ gitea.repository }} flavor: | latest=true tags: | type=ref,event=branch type=semver,pattern={{version}} type=sha # Step 1: Build the image locally (do not push yet) - name: Build Docker image locally uses: docker/build-push-action@v5 with: context: . load: true # This loads the image into the local docker daemon for Trivy to find tags: local_scan_target:${{ github.sha }} # - name: Run Trivy vulnerability scanner # uses: aquasecurity/trivy-action@master # with: # image-ref: 'local_scan_target:${{ github.sha }}' # format: 'table' # exit-code: '1' # This will fail the pipeline if vulnerabilities are found # ignore-unfixed: true # vuln-type: 'os,library' # severity: 'CRITICAL,HIGH' # server-url: 'http://trivy-server:8080' # env: # - DOCKER_HOST: unix:///var/run/docker.sock # - TRIVY_USERNAME: ${{ secrets.PACKAGE_USER }} # - TRIVY_PASSWORD: ${{ secrets.PACKAGE_TOKEN }} - name: Run Trivy scanner (Binary Mode) run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin trivy image --exit-code 1 --severity CRITICAL,HIGH --ignore-unfixed --server http://trivy-server:8080 local_scan_target:${{ github.sha }} # Step 3: If scan passes, Build and Push to Registry - name: Build and push Docker image uses: docker/build-push-action@v5 with: context: . push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }}