From 5a7584a3ad77c01a7f246ae9b0ba9bf720cdb6a7 Mon Sep 17 00:00:00 2001
From: Jacques ROUSSEL <jacques.roussel@rouaje.com>
Date: Wed, 25 Sep 2024 17:09:41 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=91=B7(ci)=20scan=20for=20vulnerabilities?=
 =?UTF-8?q?=20on=20Docker=20images?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Configure Trivy Scan in the CI to detect vulnerabilities on our
Docker image. Enhance stack security.
---
 .github/workflows/docker-hub.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml
index 0136992e..300b6bb2 100644
--- a/.github/workflows/docker-hub.yml
+++ b/.github/workflows/docker-hub.yml
@@ -1,4 +1,5 @@
 name: Docker Hub Workflow
+run-name: Docker Hub Workflow
 
 on:
   workflow_dispatch:
@@ -48,6 +49,12 @@ jobs:
         name: Login to DockerHub
         if: github.event_name != 'pull_request'
         run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin
+      -
+        name: Run trivy scan
+        uses: numerique-gouv/action-trivy-cache@main
+        with:
+          docker-build-args: '--target backend-production -f Dockerfile'
+          docker-image-name: 'docker.io/lasuite/meet-backend:${{ github.sha }}'
       -
         name: Build and push
         uses: docker/build-push-action@v5
@@ -92,6 +99,12 @@ jobs:
         name: Login to DockerHub
         if: github.event_name != 'pull_request'
         run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin
+      -
+        name: Run trivy scan
+        uses: numerique-gouv/action-trivy-cache@main
+        with:
+          docker-build-args: '-f src/frontend/Dockerfile --target frontend-production'
+          docker-image-name: 'docker.io/lasuite/meet-frontend:${{ github.sha }}'
       -
         name: Build and push
         uses: docker/build-push-action@v5