Skip to content

refactor: move docker trivy scan to security-scan-artifacts#42

Merged
tehw0lf merged 1 commit intomainfrom
feature/docker-scan-in-security-artifacts
Mar 14, 2026
Merged

refactor: move docker trivy scan to security-scan-artifacts#42
tehw0lf merged 1 commit intomainfrom
feature/docker-scan-in-security-artifacts

Conversation

@tehw0lf
Copy link
Owner

@tehw0lf tehw0lf commented Mar 14, 2026

Summary

  • Docker image trivy scan moved from `publish-docker-image` to `security-scan-artifacts`
  • Scan image is built locally (linux/amd64, no registry login needed) and discarded after scan
  • Findings are now caught on PRs before publish, not just pre-publish on main
  • `publish-docker-image` is now purely build+push with no scan responsibility
  • `security-events: write` permission removed from publish job

Test plan

  • Verify trivy docker scan runs in security-scan-artifacts on PR
  • Verify findings block the PR
  • Verify publish-docker-image still works without scan steps

@tehw0lf
refactor: move docker trivy scan from publish to security-scan-artifacts
7c21b7e 
- Add docker_meta input to security-scan-artifacts workflow
- Build amd64 scan image locally (no registry login) and scan with trivy
- Remove scan steps from publish-docker-image (now scans only build+push)
- Pass docker_meta from orchestrator to security-scan-artifacts
- Findings now caught on PRs before publish
@tehw0lf tehw0lf merged commit 51307b8 into main Mar 14, 2026
2 checks passed
@tehw0lf tehw0lf deleted the feature/docker-scan-in-security-artifacts branch March 14, 2026 22:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tehw0lf