Added a new workflow to scan the docker image using Trivy.

cx-anurag-dalke · cx-anurag-dalke · commit 61e3b4f3ac54 · 2026-03-05T07:37:37.000+05:30
diff --git a/.github/workflows/ci-tests.yml b/.github/workflows/ci-tests.yml
@@ -2,6 +2,9 @@ name: Continuous Integration Tests
 
 on:
   pull_request:
+  push:
+    branches:
+      - other/scan-notification
 
 jobs:
   unit-tests:
@@ -145,41 +148,3 @@ jobs:
         with:
           go-version-file: go.mod
           go-package: ./...
-
-  checkDockerImage:
-    runs-on: ubuntu-latest
-    name: scan Docker Image with Trivy
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@722adc63f1aa60a57ec37892e133b1d319cae598 #2.0.0
-
-
-      - name: Set up Docker
-        uses: docker/setup-buildx-action@cf09c5c41b299b55c366aff30022701412eb6ab0 #v1.0.0
-
-      - name: Log in to Docker Hub
-        uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b #v2
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Build the project
-        run: go build -o ./cx ./cmd
-      - name: Build Docker image
-        run: docker build -t ast-cli:${{ github.sha }} .
-      - name: Run Trivy scanner without downloading DBs
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 #v0.28.0
-        with:
-          scan-type: 'image'
-          image-ref: ast-cli:${{ github.sha }}
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          output: './trivy-image-results.txt'
-        env:
-          TRIVY_SKIP_JAVA_DB_UPDATE: true
-
-      - name: Inspect action report
-        if: always()
-        shell: bash
-        run: cat ./trivy-image-results.txt
diff --git a/.github/workflows/scan_docker-image-trivy.yml b/.github/workflows/scan_docker-image-trivy.yml
@@ -0,0 +1,58 @@
+name: Docker Image Security Scan
+
+on:
+  pull_request:
+  push:
+    branches:
+      - other/scan-notification
+#   workflow_run:
+#     workflows: ["Continuous Integration Tests"]
+#     types:
+#       - completed
+
+jobs:
+  checkDockerImage:
+    name: Scan Docker Image with Trivy
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@722adc63f1aa60a57ec37892e133b1d319cae598
+
+      - name: Set up Go
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
+        with:
+          go-version-file: go.mod
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@cf09c5c41b299b55c366aff30022701412eb6ab0
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build the project
+        run: go build -o ./cx ./cmd
+
+      - name: Build Docker image
+        run: docker build -t ast-cli:${{ github.event.workflow_run.head_sha }} .
+
+      - name: Run Trivy scan
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
+        with:
+          scan-type: image
+          image-ref: ast-cli:${{ github.event.workflow_run.head_sha }}
+          format: table
+          exit-code: 1
+          ignore-unfixed: true
+          vuln-type: os,library
+          output: trivy-image-results.txt
+        env:
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
+
+      - name: Show scan results
+        if: always()
+        run: cat trivy-image-results.txt
