Add trivy scanning to release workflows.

Signed-off-by: Matt Moore <[email protected]>
chainguard-images · Apr 12, 2022 · 14f24c6 · 14f24c6
1 parent 4227c86
commit 14f24c6
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -24,10 +24,19 @@ jobs:
     steps:
     - uses: actions/checkout@v3
     - uses: distroless/actions/apko-snapshot@main
+      id: apko-snapshot
       with:
         config: .apko.yaml
         base-tag: ghcr.io/${{ github.repository }}
 
+    - uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ steps.apko-snapshot.outputs.digest }}
+        format: 'table'
+        exit-code: '1'
+        vuln-type: 'os,library'
+        severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
+
     # Post to slack when things fail.
     - if: ${{ failure() }}
       uses: rtCamp/[email protected]