ci: scan Docker image for CRITICAL/HIGH CVEs with Trivy

Runs aquasecurity/trivy-action after the build step and fails the
workflow if any CRITICAL or HIGH severity vulnerabilities are found,
blocking the push to Docker Hub.

.github/workflows/docker-image.yml

@@ -25,6 +25,13 @@ jobs:
           docker build . --file Dockerfile --tag $IMAGE_TAG
           echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
 # Uncomment below to push the image to Docker Hub (or another registry)
+      - name: Scan image for vulnerabilities
+        uses: aquasecurity/trivy-action@0.30.0
+        with:
+          image-ref: ${{ env.IMAGE_TAG }}
+          format: table
+          exit-code: '1'
+          severity: CRITICAL,HIGH
       - name: Push the Docker image
         if: github.event_name == 'push'
         run: |