Update image references in Trivy scan workflow #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scan, Block, and Push Image CI | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| jobs: | |
| scan_and_push: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # ... [Checkout, Build, and Tag Steps] ... | |
| # --- TRIVY SCANNING (BLOCKING STEP) --- | |
| - name: 🚨 Scan Container Image and Block Vulnerabilities | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'peace5/cosign-test-app:1.0' | |
| severity: 'CRITICAL,HIGH' | |
| exit-code: '1' | |
| # --- SBOM GENERATION (NEW STEP) --- | |
| - name: Generate SBOM (CycloneDX format) | |
| if: always() | |
| run: | | |
| # The Trivy action handles installation, so you can call 'trivy' directly here. | |
| trivy image --format cyclonedx --output sbom.json peace5/cosign-test-app:1.0 | |
| # --- ARTIFACT UPLOAD (NEW STEP) --- | |
| - name: Upload SBOM as Artifact | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ github.sha }}_sbom | |
| path: sbom.json | |
| # --- FINAL PUSH (CONDITIONAL STEP) --- | |
| - name: Push Image to Registry | |
| # This conditional check (if: success()) still relies on the critical 'Scan' step passing. | |
| if: success() | |
| run: docker push peace5/cosign-test-app:1.0 |