Add vulnerability scanning

.github/workflows/docker-publish.yml

@@ -24,7 +24,6 @@ jobs:
           images: |
             ${{ env.IMAGE_NAME }}
           tags: |
-            type=sha
             type=semver,pattern={{raw}}
 
           labels: |
@@ -57,3 +56,13 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:buildcache
           cache-to: type=registry,ref=${{ env.IMAGE_NAME }}:buildcache,mode=max
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}:latest
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'

.github/workflows/vuln-scan.yml

@@ -0,0 +1,25 @@
+name: build
+on:
+  workflow_dispatch:
+  pull_request:
+jobs:
+  signer:
+    name: Build and Scan Signer
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build an image
+        run: |
+          docker build -t signer  .
+
+      - name: Peptide vulnerability scan
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'signer'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'