feat: add sbom vuln evaluation #4


	# Source: https://github.com/Josep-Andreu/segur_cloud/blob/main/build-and-push.yaml

	name: Build and Push to Quay

	on:
	push:
	branches:
	- main

	env:
	FULL_IMAGE: quay.io/mguzman98/jboss_lab:v1.0.0

	jobs:
	build-scan-push:
	runs-on: ubuntu-latest

	steps:
	- name: 🧩 Checkout code
	uses: actions/checkout@v4

	- name: 🔧 Build container image
	run: \|
	docker build -t $FULL_IMAGE .

	- name: 🔍 Scan image with Trivy
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: ${{ env.FULL_IMAGE }}
	severity: HIGH,CRITICAL
	exit-code: 1
	ignore-unfixed: true

	# 🧾 Generate SBOM with Syft (syft-json format)
	- name: 🧾 Generate SBOM (Syft)
	run: \|
	docker run --rm \
	-v /var/run/docker.sock:/var/run/docker.sock \
	-v "$PWD":/work \
	anchore/syft:latest "$FULL_IMAGE" -o syft-json > sbom.syft.json
	test -s sbom.syft.json && echo "SBOM created: sbom.syft.json"
	- name: 📤 Upload SBOM artifact
	uses: actions/upload-artifact@v4
	with:
	name: sbom-syft-json
	path: sbom.syft.json
	if-no-files-found: error
	retention-days: 14

	# 🛡 Evaluate SBOM with Grype (fail build on HIGH or CRITICAL vulns)
	- name: 🛡 Vulnerability scan (Grype on SBOM)
	run: \|
	docker run --rm \
	-v "$PWD":/work \
	anchore/grype:latest /work/sbom.syft.json \
	--fail-on high \
	--only-fixed=false \
	--add-cpes-if-none
	- name: 🔑 Login to Quay.io
	run: \|
	docker login quay.io -u "${{ secrets.QUAY_USER }}" -p "${{ secrets.QUAY_PASSWORD }}"

	- name: 🚀 Push image to Quay.io
	run: \|
	docker push $FULL_IMAGE

Provide feedback