From d17752b611e64a219c0b1e7851727cdbe428c67d Mon Sep 17 00:00:00 2001
From: nessi <sascha@nesterovic.cc>
Date: Sat, 14 Feb 2026 18:16:54 +0100
Subject: [PATCH] Add CVE scan workflow for development branch

This commit introduces a GitHub Actions workflow to scan for CVEs in backend and frontend container images. It uses Trivy for scanning and uploads the reports as artifacts, providing better visibility into vulnerabilities in development builds.
---
 .../container-cve-scan-development.yml        | 78 +++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 .github/workflows/container-cve-scan-development.yml

diff --git a/.github/workflows/container-cve-scan-development.yml b/.github/workflows/container-cve-scan-development.yml
new file mode 100644
index 0000000..adf2e3b
--- /dev/null
+++ b/.github/workflows/container-cve-scan-development.yml
@@ -0,0 +1,78 @@
+name: Container CVE Scan (development)
+
+on:
+  push:
+    branches: ["development"]
+  workflow_dispatch:
+
+jobs:
+  cve-scan:
+    name: Scan backend/frontend images for CVEs
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build backend image (local)
+        uses: docker/build-push-action@v6
+        with:
+          context: ./backend
+          file: ./backend/Dockerfile
+          push: false
+          load: true
+          tags: nexapg-backend:dev-scan
+          provenance: false
+          sbom: false
+
+      - name: Build frontend image (local)
+        uses: docker/build-push-action@v6
+        with:
+          context: ./frontend
+          file: ./frontend/Dockerfile
+          push: false
+          load: true
+          tags: nexapg-frontend:dev-scan
+          build-args: |
+            VITE_API_URL=/api/v1
+          provenance: false
+          sbom: false
+
+      - name: Trivy scan (backend)
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: nexapg-backend:dev-scan
+          format: table
+          output: trivy-backend.txt
+          severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+          ignore-unfixed: false
+          exit-code: 0
+
+      - name: Trivy scan (frontend)
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: nexapg-frontend:dev-scan
+          format: table
+          output: trivy-frontend.txt
+          severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+          ignore-unfixed: false
+          exit-code: 0
+
+      - name: Print scan summary
+        run: |
+          echo "===== Backend CVE Scan ====="
+          cat trivy-backend.txt
+          echo
+          echo "===== Frontend CVE Scan ====="
+          cat trivy-frontend.txt
+
+      - name: Upload scan reports
+        uses: actions/upload-artifact@v4
+        with:
+          name: container-cve-scan-reports
+          path: |
+            trivy-backend.txt
+            trivy-frontend.txt