.github/workflows/scan.yaml

name: Scan
on:
  pull_request:
  push:
    branches: [ "main", "release-v*" ]
    tags:
      - "v*"
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
          check-latest: true
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3.2.0
      - name: Build operator
        run: make operator
      - name: Build image
        uses: docker/build-push-action@v6.7.0
        with:
          context: .
          tags: ghcr.io/rancher/eks-operator:${{ github.sha }}
          load: true
          push: false
          file: package/Dockerfile
          build-args: |
            TAG=${{ github.sha }}
            REPO=ghcr.io/rancher/eks-operator
            COMMIT=${{ github.sha }}
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "ghcr.io/rancher/eks-operator:${{ github.sha }}"
          format: "table"
          exit-code: "1"
          ignore-unfixed: true
          severity: "CRITICAL,HIGH"