From c7c9eb242a09d49347a13258914de0470443e38c Mon Sep 17 00:00:00 2001 From: Adil Hafeez Date: Fri, 13 Feb 2026 15:42:53 -0800 Subject: [PATCH] Add Trivy Docker image security scan workflow Scans the Docker image for CRITICAL and HIGH vulnerabilities using Trivy. Blocks PRs on failures; runs non-blocking on main for visibility. Results are uploaded to the GitHub Security tab via SARIF. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/docker-security-scan.yml | 50 ++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/docker-security-scan.yml diff --git a/.github/workflows/docker-security-scan.yml b/.github/workflows/docker-security-scan.yml new file mode 100644 index 00000000..62b0cbdb --- /dev/null +++ b/.github/workflows/docker-security-scan.yml @@ -0,0 +1,50 @@ +name: Docker Security Scan + +env: + DOCKER_IMAGE: katanemo/plano + +on: + push: + branches: + - main + pull_request: + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Build Docker Image + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile + platforms: linux/amd64 + push: false + tags: ${{ env.DOCKER_IMAGE }}:scan + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.DOCKER_IMAGE }}:scan + format: table + # Fail on PRs so vulnerabilities block merge; on main just report + exit-code: ${{ github.event_name == 'pull_request' && '1' || '0' }} + severity: CRITICAL,HIGH + + - name: Run Trivy scanner (SARIF for GitHub Security tab) + if: always() + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ env.DOCKER_IMAGE }}:scan + format: sarif + output: trivy-results.sarif + severity: CRITICAL,HIGH + + - name: Upload Trivy results to GitHub Security tab + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: trivy-results.sarif