@@ -172,6 +172,7 @@ jobs:
172172 permissions :
173173 contents : read
174174 packages : write
175+ id-token : write # keyless cosign signing via OIDC
175176 steps :
176177 - name : Download digests
177178 uses : actions/download-artifact@v8
@@ -202,3 +203,49 @@ jobs:
202203 docker buildx imagetools create \
203204 $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
204205 $(printf 'ghcr.io/${{ github.repository }}@sha256:%s ' *)
206+ - name : Install cosign
207+ uses : sigstore/cosign-installer@v3
208+ - name : Sign the published image (keyless)
209+ run : |
210+ tag=$(jq -cr '.tags[0]' <<< "$DOCKER_METADATA_OUTPUT_JSON")
211+ digest=$(docker buildx imagetools inspect "$tag" --format '{{.Manifest.Digest}}')
212+ cosign sign --yes "ghcr.io/${{ github.repository }}@${digest}"
213+
214+ # Build the runtime image and scan it for OS/dependency vulnerabilities.
215+ # Non-blocking for now (exit-code 0): findings surface in the Security tab.
216+ # Flip exit-code to 1 to gate once the baseline is clean.
217+ image-scan :
218+ name : Image Scan
219+ runs-on : ubuntu-latest
220+ permissions :
221+ contents : read
222+ security-events : write
223+ steps :
224+ - name : Checkout repository
225+ uses : actions/checkout@v6
226+ - name : Set up Docker Buildx
227+ uses : docker/setup-buildx-action@v4
228+ - name : Build image (amd64) for scanning
229+ uses : docker/build-push-action@v7
230+ with :
231+ context : .
232+ file : docker/Dockerfile
233+ platforms : linux/amd64
234+ load : true
235+ tags : postguard-business:scan
236+ cache-from : type=gha
237+ - name : Trivy vulnerability scan
238+ uses : aquasecurity/trivy-action@0.28.0
239+ with :
240+ image-ref : postguard-business:scan
241+ format : sarif
242+ output : trivy-results.sarif
243+ severity : HIGH,CRITICAL
244+ ignore-unfixed : true
245+ exit-code : ' 0'
246+ - name : Upload Trivy results
247+ if : always()
248+ uses : github/codeql-action/upload-sarif@v3
249+ with :
250+ sarif_file : trivy-results.sarif
251+ category : trivy
0 commit comments