feat: Add Trivy scanner to the pipeline

Signed-off-by: Hubert Siwik <[email protected]>

.github/workflows/verifyimage.yml

@@ -14,6 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       targets: ${{ steps.generate.outputs.targets }}
+      repo: ${{ steps.metadata.outputs.repo }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -25,6 +26,10 @@ jobs:
           curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended -o modsecurity.conf-recommended
           echo '${{ env.MODSECURITY_RECOMMENDED }}' > sha256sum.txt
           sha256sum -c sha256sum.txt
+      # The environment variable is not accessible in the context of "with" section
+      - name: Set a repo output
+        id: metadata
+        run: echo "repo=${REPO}" >> "$GITHUB_OUTPUT"
 
   build:
     runs-on: ubuntu-latest
@@ -60,6 +65,18 @@ jobs:
           load: true
           push: false
 
+      # In case of TOOMANYREQUESTS the cache mechanism should be considered
+      - name: Scan ${{ matrix.target }}
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ needs.prepare.outputs.repo }}:${{ matrix.target }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          scanners: 'vuln,secret'
+
       - name: Run ${{ matrix.target }}
         run: |
           echo "Starting container ${{ matrix.target }}"