name: Docker Image Scan
on:
  push:
    branches: [ main ]
    tags: [ 'v*' ]
  pull_request:
    branches: [ main ]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  image-scan:
    permissions:
      security-events: write
    runs-on: ubuntu-latest
    env:
      DOCKER_BUILDKIT: 1
      DOCKER_CLI_EXPERIMENTAL: enabled
    steps:
    - uses: actions/checkout@v4
    - name: Quick build (linux/alpine only)
      run: |
        docker build --target gomplate-alpine -t gomplate .
    - name: Install Trivy
      uses: aquasecurity/setup-trivy@v0.2.3
      with:
        version: v0.57.0
        cache: true
    - name: Download Trivy DB
      run: |
        trivy fs --no-progress --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db
    - name: Run Trivy vulnerability scanner (table output)
      run: |
        trivy image \
          --scanners vuln \
          --format table \
          --exit-code 1 \
          --ignore-unfixed \
          --pkg-types os,library \
          --severity CRITICAL,HIGH \
          --skip-db-update \
            gomplate
    - name: Run Trivy vulnerability scanner
      run: |
        trivy image \
          --scanners vuln \
          --format sarif \
          --output trivy-results.sarif \
          --ignore-unfixed \
          --pkg-types os,library \
          --ignorefile .trivyignore \
          --skip-db-update \
            gomplate
      if: always() && github.repository == 'hairyhenderson/gomplate'
    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: 'trivy-results.sarif'
      if: always() && github.repository == 'hairyhenderson/gomplate'