Execute Trivy Docker Image Scan on Release

.github/workflows/ci.yml

@@ -39,10 +39,41 @@ jobs:
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v1
 
+  image-scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v2
+
+    - name: Build and Export to Docker
+      uses: docker/build-push-action@v3
+      with:
+        context: .
+        tags: gui:latest
+        outputs: type=docker,dest=/tmp/gui.tar
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: gui:latest
+        format: sarif
+        output: trivy-results.sarif
+        severity: 'CRITICAL,HIGH'
+
+    - name: Upload GUI Image
+      uses: actions/upload-artifact@v3
+      with:
+        name: gui-image
+        path: /tmp/gui.tar
+        retention-days: 5
 
   release:
     if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-    needs: test
+    needs:
+    - test
+    - image-scan
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
@@ -60,6 +91,18 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v2
+
+    - name: Download GUI Image
+      uses: actions/download-artifact@v3
+      with:
+        name: gui-image
+        path: /tmp
+
+    - name: Load GUI Image
+      run: docker load --input /tmp/gui.tar
+
     - name: Build and push Docker image
       uses: docker/build-push-action@v2
       with: