Added trivy to pipeline

Author: DavidKalteis

.github/workflows/docker.yml

@@ -1,4 +1,4 @@
-name: Build and Push Docker Image
+name: Build, Scan and Push Docker Image
 
 on:
   push:
@@ -8,10 +8,17 @@ jobs:
   build:
     runs-on: ubuntu-latest
 
+    outputs:
+      image-tag: ${{ steps.tag.outputs.sha_tag }}
+
     steps:
     - name: Checkout code
       uses: actions/checkout@v3
 
+    - name: Set image tag
+      id: tag
+      run: echo "sha_tag=${GITHUB_SHA}" >> $GITHUB_OUTPUT
+
     - name: Log in to DockerHub
       uses: docker/login-action@v2
       with:
@@ -28,3 +35,32 @@ jobs:
         IMAGE_BASE=${{ secrets.DOCKERHUB_USERNAME }}/myhello
         docker push $IMAGE_BASE:latest
         docker push $IMAGE_BASE:${{ github.sha }}
+
+  scan:
+    runs-on: ubuntu-latest
+    needs: build
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Trivy Image Scan
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ secrets.DOCKERHUB_USERNAME }}/myhello:${{ needs.build.outputs.image-tag }}
+        format: 'table'
+        exit-code: '1'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'
+
+    - name: Trivy FS Scan (source & Dockerfile)
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        format: 'table'
+        exit-code: '1'
+        ignore-unfixed: true
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH'