.github/workflows/scan.yaml

name: Scan
on:
  workflow_dispatch:
  pull_request:
    branches:
      - main
  push:
    branches:
      - main
    tags:
      - "v*"
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3.8.0
      - name: Build image
        uses: docker/build-push-action@v6.11.0
        with:
          context: .
          tags: ghcr.io/rancher/aks-operator:${{ github.sha }}
          load: true
          push: false
          file: package/Dockerfile
          build-args: |
            TAG=${{ github.sha }}
            REPO=ghcr.io/rancher/aks-operator
            COMMIT=${{ github.sha }}
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.29.0
        env:
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
        with:
          image-ref: "ghcr.io/rancher/aks-operator:${{ github.sha }}"
          format: "table"
          exit-code: "1"
          ignore-unfixed: true
          severity: "CRITICAL,HIGH"