scan.yml

name: Scan docker image for security vulnerabilities

on:
  workflow_call:
    inputs:
      image:
        required: true
        type: string

env:
  IMAGE: ${{ inputs.image }}

jobs:
  scan:
    permissions:
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
    runs-on: ubuntu-latest
    steps:
      - name: Logging
        run: |
          echo "Scanning ${{ env.IMAGE }} of ${{ github.ref_name }}..."

      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.IMAGE }}
          format: 'sarif'
          output: 'trivy-results.sarif'
        env:
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
        uses: anchore/scan-action@v5
        with:
          image: ${{ env.IMAGE }}
          output-format: sarif
          fail-build: false

      - name: Upload Anchore Scan Report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'results.sarif'