From 45778fddbea02e0dc2610408d65b0b1ade8f7b33 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adam=20Ciarcin=CC=81ski?= <adam@defguard.net>
Date: Fri, 22 Aug 2025 14:01:36 +0200
Subject: [PATCH 1/2] Scan images with Trivy

---
 .github/workflows/build-docker.yml | 17 +++++++++++++----
 .github/workflows/current.yml      |  1 +
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
index 8409b2a672..13ded1fedf 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -40,7 +40,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-    
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -72,6 +72,16 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH,MEDIUM"
+
   docker-manifest:
     runs-on: [self-hosted, Linux]
 
@@ -81,7 +91,7 @@ jobs:
       id-token: write # needed for signing the images with GitHub OIDC Token
 
     needs: [build-docker]
-   
+
     steps:
       - name: Install Cosign
         uses: sigstore/cosign-installer@v3.9.2
@@ -111,7 +121,7 @@ jobs:
             docker manifest create ${tag} ${{ env.GHCR_REPO }}:${{ github.sha }}-amd64 ${{ env.GHCR_REPO }}:${{ github.sha }}-arm64
             docker manifest push ${tag}
           done
-        
+
       - name: Sign the images with GitHub OIDC Token
         run: |
           images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
@@ -121,4 +131,3 @@ jobs:
         run: |
           images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
           cosign verify ${images} --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/DefGuard/defguard" -o text
-        
diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml
index 62bb823050..7547c30eff 100644
--- a/.github/workflows/current.yml
+++ b/.github/workflows/current.yml
@@ -9,6 +9,7 @@ on:
       - main
       - dev
       - "release/**"
+      - image_scan
     paths-ignore:
       - "*.md"
       - "LICENSE"

From 023aefec9ec2923dacaeeefa0eb6e5a7f26d6a5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adam=20Ciarcin=CC=81ski?= <adam@defguard.net>
Date: Fri, 22 Aug 2025 15:07:28 +0200
Subject: [PATCH 2/2] Remove test branch

---
 .github/workflows/current.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml
index 7547c30eff..62bb823050 100644
--- a/.github/workflows/current.yml
+++ b/.github/workflows/current.yml
@@ -9,7 +9,6 @@ on:
       - main
       - dev
       - "release/**"
-      - image_scan
     paths-ignore:
       - "*.md"
       - "LICENSE"