From ed85f7ef5e56f4cf5f6d9789ff67303375d85def Mon Sep 17 00:00:00 2001
From: Bo-Yi Wu <appleboy.tw@gmail.com>
Date: Thu, 16 Apr 2026 18:10:07 +0800
Subject: [PATCH] ci(docker): add Trivy image scan before pushing Docker image

- Add Trivy vulnerability scanner step before Docker image push
- Upload SARIF results to GitHub Security tab
---
 .github/workflows/docker.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 68253cd..791cae4 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -75,6 +75,21 @@ jobs:
           load: true
           tags: drone-ssh:scan
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: "drone-ssh:scan"
+          format: "sarif"
+          output: "trivy-image-results.sarif"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: "trivy-image-results.sarif"
+          category: "trivy-docker-image"
+
       - name: Build and push
         if: success()
         uses: docker/build-push-action@v7