security.yml

name: Security Checks

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - "*"

jobs:
  build-image:
    name: Docker Build
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Build and push
        uses: docker/build-push-action@v4
        with:
          push: false
          file: Dockerfile.prod
          tags: tperich/curriculum_vitae:prod
          outputs: type=docker,dest=/tmp/image.tar

      - name: Upload Docker image
        uses: actions/upload-artifact@v3
        with:
          name: docker-image
          path: /tmp/image.tar

  trivy-scan:
    name: Trivy Scan
    runs-on: ubuntu-latest
    needs: build-image
    steps:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Download Docker image
        uses: actions/download-artifact@v3
        with:
          name: docker-image
          path: /tmp

      - name: Load Docker image
        run: docker load -i /tmp/image.tar

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: image
          image-ref: tperich/curriculum_vitae:prod
          format: sarif
          output: trivy-results.sarif
          severity: CRITICAL,HIGH
          exit-code: 1

      - name: Upload Trivy results to GitHub
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: trivy-results.sarif