ci(docker): fail push when trivy finds CRITICAL/HIGH issues

- Add Trivy image scan job to trivy.yml alongside existing repo scan
- Add Trivy image scan step in docker.yml before pushing Docker image
- Add security-events permission for SARIF upload

.github/workflows/docker.yml

@@ -10,6 +10,11 @@ on:
     branches:
       - "master"
 
+permissions:
+  contents: read
+  packages: write
+  security-events: write
+
 jobs:
   build-docker:
     runs-on: ubuntu-latest
@@ -18,6 +23,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           go-version: "^1"
+          check-latest: true
       - name: Checkout repository
         uses: actions/checkout@v6
         with:
@@ -29,13 +35,13 @@ jobs:
           make build_linux_arm64
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -43,7 +49,7 @@ jobs:
 
       - name: Docker meta
         id: docker-meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: |
             ghcr.io/${{ github.repository }}
@@ -53,8 +59,33 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
 
+      - name: Build image for scanning
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          file: docker/Dockerfile
+          platforms: linux/amd64
+          push: false
+          load: true
+          tags: drone-jenkins:scan
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: "drone-jenkins:scan"
+          format: "sarif"
+          output: "trivy-image-results.sarif"
+          severity: "CRITICAL,HIGH"
+          exit-code: '1'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: "trivy-image-results.sarif"
+          category: "trivy-docker-image"
+
       - name: Build and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           platforms: linux/amd64,linux/arm64

.github/workflows/goreleaser.yml

@@ -23,7 +23,7 @@ jobs:
           check-latest: true
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@v7
         with:
           # either 'goreleaser' (default) or 'goreleaser-pro'
           distribution: goreleaser

.github/workflows/lint.yml

@@ -12,13 +12,14 @@ jobs:
         uses: actions/setup-go@v6
         with:
           go-version: "stable"
+          check-latest: true
       - name: Checkout repository
         uses: actions/checkout@v6
 
       - name: Setup golangci-lint
         uses: golangci/golangci-lint-action@v9
         with:
-          version: v2.6
+          version: v2.11
           args: --verbose
 
       - uses: hadolint/hadolint-action@v3.3.0
@@ -30,7 +31,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest]
-        go: ["1.25"]
+        go: ["1.25", "1.26"]
         include:
           - os: ubuntu-latest
             go-build: ~/.cache/go-build
@@ -44,6 +45,7 @@ jobs:
         uses: actions/setup-go@v6
         with:
           go-version: ${{ matrix.go }}
+          check-latest: true
 
       - name: Checkout Code
         uses: actions/checkout@v6

.github/workflows/trivy.yml

@@ -10,47 +10,76 @@ on:
   schedule:
     # Run daily at 00:00 UTC
     - cron: "0 0 * * *"
-  workflow_dispatch: # Allow manual trigger
+  workflow_dispatch:
 
 permissions:
   contents: read
-  security-events: write # Required for uploading SARIF results
+  security-events: write
 
 jobs:
-  trivy-scan:
-    name: Trivy Security Scan
+  trivy-repo-scan:
+    name: Trivy Repository Scan
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
+      - name: Checkout repository
         uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
 
-      - name: Run Trivy vulnerability scanner (source code)
-        uses: aquasecurity/trivy-action@0.33.1
+      - name: Run Trivy vulnerability scanner (repo)
+        uses: aquasecurity/trivy-action@v0.35.0
         with:
           scan-type: "fs"
           scan-ref: "."
-          scanners: "vuln,secret,misconfig"
           format: "sarif"
-          output: "trivy-results.sarif"
-          severity: "CRITICAL,HIGH,MEDIUM"
-          ignore-unfixed: true
+          output: "trivy-repo-results.sarif"
+          severity: "CRITICAL,HIGH"
 
-      - name: Upload Trivy results to GitHub Security tab
+      - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
-          sarif_file: "trivy-results.sarif"
+          sarif_file: "trivy-repo-results.sarif"
 
-      - name: Run Trivy scanner (table output for logs)
-        uses: aquasecurity/trivy-action@0.33.1
+  trivy-image-scan:
+    name: Trivy Image Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Setup go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          check-latest: true
+
+      - name: Build binary
+        run: |
+          make build_linux_amd64
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Build Docker image for scanning
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          file: docker/Dockerfile
+          platforms: linux/amd64
+          push: false
+          load: true
+          tags: drone-jenkins:scan
+
+      - name: Run Trivy vulnerability scanner (image)
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: "drone-jenkins:scan"
+          format: "sarif"
+          output: "trivy-image-results.sarif"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy image scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
-          scan-type: "fs"
-          scan-ref: "."
-          scanners: "vuln,secret,misconfig"
-          format: "table"
-          severity: "CRITICAL,HIGH,MEDIUM"
-          ignore-unfixed: true
-          exit-code: "1"
+          sarif_file: "trivy-image-results.sarif"
+          category: "trivy-image"

go.mod

@@ -1,6 +1,6 @@
 module github.com/appleboy/drone-jenkins
 
-go 1.24.0
+go 1.25.9
 
 require (
 	github.com/appleboy/com v1.1.1

jenkins.go

@@ -233,7 +233,7 @@ func (jenkins *Jenkins) sendRequest(
 		req.Header.Set(crumb.CrumbRequestField, crumb.Crumb)
 	}
 
-	return jenkins.Client.Do(req)
+	return jenkins.Client.Do(req) //nolint:gosec // user-configured Jenkins URL
 }
 
 func (jenkins *Jenkins) get(

jenkins_test.go

@@ -347,7 +347,11 @@ func TestWaitForCompletion(t *testing.T) {
 						[]byte(`{"number":456,"building":true,"duration":0,"result":null}`),
 					)
 				} else {
-					_, _ = w.Write([]byte(`{"number":456,"building":false,"duration":5000,"result":"SUCCESS"}`))
+					_, _ = w.Write(
+						[]byte(
+							`{"number":456,"building":false,"duration":5000,"result":"SUCCESS"}`,
+						),
+					)
 				}
 			}
 		}))
@@ -470,7 +474,11 @@ func TestWaitForCompletion(t *testing.T) {
 						[]byte(`{"number":456,"building":true,"duration":0,"result":null}`),
 					)
 				} else {
-					_, _ = w.Write([]byte(`{"number":456,"building":false,"duration":3000,"result":"FAILURE"}`))
+					_, _ = w.Write(
+						[]byte(
+							`{"number":456,"building":false,"duration":3000,"result":"FAILURE"}`,
+						),
+					)
 				}
 			}
 		}))