.github/workflows/pull-scan-push-images.yml

---
    name: Pull images, scan, push to GHCR
    on:
      workflow_dispatch:
      schedule:
        - cron: '0 5 * * 0'

    jobs:
      pull-and-scan:
        runs-on: ubuntu-latest
        permissions:
          contents: read
          packages: write
          security-events: write
        env:
          GH_REPO: gsa-tts/cg-supabase
        strategy:
          fail-fast: false
          matrix:
            image:
              - name: ghcr.io/supabase/postgres-meta:v0.83.2
                short-name: meta
              - name: postgrest/postgrest:latest
                short-name: rest
              - name: ghcr.io/supabase/storage-api:v1.7.0
                short-name: storage
        name: Scan ${{ matrix.image.short-name }}
        steps:
          - name: Checkout
            uses: actions/checkout@v4
    
          - name: Set up Docker Buildx
            id: buildx
            uses: docker/setup-buildx-action@v3
    
          - name: Pull Docker Image
            run: docker pull ${{ matrix.image.name }}
    
          - name: Scan Image
            uses: aquasecurity/trivy-action@0.24.0
            with:
              scan-type: 'image'
              image-ref: ${{ matrix.image.name }}
              format: 'sarif'
              output: 'trivy-results.sarif'
              severity: 'CRITICAL,HIGH'
              exit-code: 1
              scanners: 'vuln'

          # Upload results to GH Code Scanning even if the scan exited with 1 due to CRITICAL/HIGH findings
          # Just don't carry on and push the image to GHCR!
          - name: Upload Trivy scan results to GitHub Security tab
            uses: github/codeql-action/upload-sarif@v3
            if: ${{ !cancelled() }}
            with:
              sarif_file: 'trivy-results.sarif'
            

          - name: Tag Image
            run: |
              date=$(date +%Y%m%d)
              docker tag ${{ matrix.image.name }} ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:latest
              docker tag ${{ matrix.image.name }} ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:scanned
              docker tag ${{ matrix.image.name }} ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:$date
    
          - name: Login to GitHub Container Registry
            uses: docker/login-action@v3
            with:
              registry: ghcr.io
              username: ${{ github.repository_owner }}
              password: ${{ secrets.GITHUB_TOKEN }}
    
          - name: Push Image
            run: docker push --all-tags ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}
    