PrivateCaptcha/.github/workflows/docker-security.yaml

name: Container Image Scan

on:
  push:
    branches:
    - main
    paths:
    - 'docker/Dockerfile'
    - '.github/workflows/docker-security.yaml'
  pull_request:
    types: [opened, synchronize, reopened]
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest
    # Permissions key is required for CodeQL SARIF Upload, per the docs:
    # https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v6

      - name: Build the Container image
        run: make build-docker DOCKER_IMAGE='localbuild/testimage'

      - uses: anchore/scan-action@v6
        id: scan
        with:
          image: "localbuild/testimage:latest"
          fail-build: true
          severity-cutoff: critical

      - name: Upload Anchore scan SARIF report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}