diff --git a/.github/workflows/container-cve-scan-development.yml b/.github/workflows/container-cve-scan-development.yml new file mode 100644 index 0000000..adf2e3b --- /dev/null +++ b/.github/workflows/container-cve-scan-development.yml @@ -0,0 +1,78 @@ +name: Container CVE Scan (development) + +on: + push: + branches: ["development"] + workflow_dispatch: + +jobs: + cve-scan: + name: Scan backend/frontend images for CVEs + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build backend image (local) + uses: docker/build-push-action@v6 + with: + context: ./backend + file: ./backend/Dockerfile + push: false + load: true + tags: nexapg-backend:dev-scan + provenance: false + sbom: false + + - name: Build frontend image (local) + uses: docker/build-push-action@v6 + with: + context: ./frontend + file: ./frontend/Dockerfile + push: false + load: true + tags: nexapg-frontend:dev-scan + build-args: | + VITE_API_URL=/api/v1 + provenance: false + sbom: false + + - name: Trivy scan (backend) + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: nexapg-backend:dev-scan + format: table + output: trivy-backend.txt + severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + ignore-unfixed: false + exit-code: 0 + + - name: Trivy scan (frontend) + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: nexapg-frontend:dev-scan + format: table + output: trivy-frontend.txt + severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + ignore-unfixed: false + exit-code: 0 + + - name: Print scan summary + run: | + echo "===== Backend CVE Scan =====" + cat trivy-backend.txt + echo + echo "===== Frontend CVE Scan =====" + cat trivy-frontend.txt + + - name: Upload scan reports + uses: actions/upload-artifact@v4 + with: + name: container-cve-scan-reports + path: | + trivy-backend.txt + trivy-frontend.txt