feat: scan and upload to security

.github/workflows/trivy-frontend.yml

@@ -5,12 +5,16 @@ on:
   pull_request:
     types:
       - opened
+      - synchronize
+      - reopened
+      - ready_for_review
     branches:
       - main
       - develop
 
 env:
   IMAGE_NAME: frontend
+  VERSION: v1
 
 jobs:
   build_docker_image:
@@ -31,13 +35,19 @@ jobs:
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
       - name: Push image
-        run: |
-          IMAGE_ID=ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME
-          IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
-          VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
-          [[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
-          [ "$VERSION" == "main" ] && VERSION=latest
-          echo IMAGE_ID=$IMAGE_ID
-          echo VERSION=$VERSION
-          docker tag $IMAGE_NAME $IMAGE_ID:$VERSION
-          docker push $IMAGE_ID:$VERSION
+        run: docker push ghcr.io/${{ github.repository_owner }}/cpf/$IMAGE_NAME:$VERSION
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: "ghcr.io/${{ github.repository_owner }}/cpf/$IMAGE_NAME:$VERSION"
+          scanners: "vuln,secret,config"
+          format: "sarif"
+          output: "trivy-fe-results.sarif"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload scan result to Github Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-fe-results.sarif
+          category: "image"