1 files changed, 62 insertions, 0 deletions

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5cf4541..9c6d707 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -60,3 +60,65 @@ jobs:
         with:
           name: dev-build-files
           path: ./build
+
+  Trivy-dev-test:
+    runs-on: ubuntu-latest
+    needs: Build
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: source-code
+          path: .
+      - uses: actions/download-artifact@v3
+        with:
+          name: dev-build-files
+          path: ./build
+      - uses: docker/setup-buildx-action@v1
+      - run: docker build -t pico-web-dev -f ./docker/dev/Dockerfile .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: pico-web-dev
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: 0
+          ignore-unfixed: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+          sha: ${{ github.sha }}
+          ref: ${{ github.ref }}
+
+  Trivy-prod-test:
+    runs-on: ubuntu-latest
+    needs: Build
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: source-code
+          path: .
+      - uses: docker/setup-buildx-action@v1
+      - run: docker build -t pico-web -f ./docker/prod/Dockerfile .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: pico-web
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: 0
+          ignore-unfixed: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+          sha: ${{ github.sha }}
+          ref: ${{ github.ref }}