name: Container CVE Scan (development) on: push: branches: ["development"] workflow_dispatch: jobs: cve-scan: name: Scan backend/frontend images for CVEs runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build backend image (local) uses: docker/build-push-action@v6 with: context: ./backend file: ./backend/Dockerfile push: false load: true tags: nexapg-backend:dev-scan provenance: false sbom: false - name: Build frontend image (local) uses: docker/build-push-action@v6 with: context: ./frontend file: ./frontend/Dockerfile push: false load: true tags: nexapg-frontend:dev-scan build-args: | VITE_API_URL=/api/v1 provenance: false sbom: false - name: Trivy scan (backend) uses: aquasecurity/trivy-action@0.24.0 with: image-ref: nexapg-backend:dev-scan format: table output: trivy-backend.txt severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL ignore-unfixed: false exit-code: 0 - name: Trivy scan (frontend) uses: aquasecurity/trivy-action@0.24.0 with: image-ref: nexapg-frontend:dev-scan format: table output: trivy-frontend.txt severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL ignore-unfixed: false exit-code: 0 - name: Print scan summary run: | echo "===== Backend CVE Scan =====" cat trivy-backend.txt echo echo "===== Frontend CVE Scan =====" cat trivy-frontend.txt - name: Upload scan reports uses: actions/upload-artifact@v4 with: name: container-cve-scan-reports path: | trivy-backend.txt trivy-frontend.txt