name: container-scan
on:
  push:
    branches:
      - main
  pull_request:
jobs:
  container-scan:
    name: Container Scan
    runs-on: docker
    container:
      image: ghcr.io/di0ik/forgejo_runner_container:main@sha256:c4667f2702c32b91b4c92db2ff20739edd00409a44a691c0598cf4a09a47743a
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - name: Build an image from Dockerfile
        run: docker buildx build -t meetup_trivy .

      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.61.0

      - name: Run Trivy vulnerability scanner
        run: |
          trivy image --exit-code 1 --severity HIGH,CRITICAL,MEDIUM --ignore-unfixed --no-progress --format table meetup_trivy
          trivy image --exit-code 1 --severity HIGH,CRITICAL,MEDIUM --ignore-unfixed --no-progress --format json meetup_trivy > trivy-report.json

      - name: Upload Trivy report
        uses: forgejo/upload-artifact@v4
        with:
          path: trivy-report.json

      - name: Clean up Docker
        run: |
          docker buildx prune --filter=until=48h -f
          docker image rm meetup_trivy