scan-image.yml

---
  name: Scan Image

  on:
    pull_request:
      branches:
        - main

  permissions: {}

  jobs:
    scan-image:
      name: Scan Image
      runs-on: ubuntu-latest
      permissions:
        contents: read
        security-events: write
      steps:
        - name: Checkout
          id: checkout
          uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

        - name: Build Image
          id: build_image
          uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
          with:
            push: false
            load: true
            tags: ollamate

        - name: Scan Image
          id: scan_image
          uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
          with:
            image-ref: ollamate
            exit-code: 1
            format: sarif
            output: trivy-results.sarif
            severity: CRITICAL
            limit-severities-for-sarif: true

        - name: Scan Image (On SARIF Scan Failure)
          if: failure() && steps.scan_image.outcome == 'failure'
          id: scan_image_on_failure
          uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
          with:
            image-ref: ollamate
            exit-code: 1
            format: table
            severity: CRITICAL

        - name: Upload SARIF
          if: always()
          id: upload_sarif
          uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v2.2.7
          with:
            sarif_file: trivy-results.sarif