From aa7fefe497736d7c768aa5728a41e13820e7e87f Mon Sep 17 00:00:00 2001
From: Steve Dogiakos <dogiakos@gmail.com>
Date: Sat, 28 Mar 2026 23:23:33 -0600
Subject: [PATCH] ci: scan Docker image for CRITICAL/HIGH CVEs with Trivy

Runs aquasecurity/trivy-action after the build step and fails the
workflow if any CRITICAL or HIGH severity vulnerabilities are found,
blocking the push to Docker Hub.
---
 .github/workflows/docker-image.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
index 42deb0d..fdb9527 100644
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@@ -25,6 +25,13 @@ jobs:
           docker build . --file Dockerfile --tag $IMAGE_TAG
           echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
 # Uncomment below to push the image to Docker Hub (or another registry)
+      - name: Scan image for vulnerabilities
+        uses: aquasecurity/trivy-action@0.30.0
+        with:
+          image-ref: ${{ env.IMAGE_TAG }}
+          format: table
+          exit-code: '1'
+          severity: CRITICAL,HIGH
       - name: Push the Docker image
         if: github.event_name == 'push'
         run: |