ci(docker): fail push when trivy finds CRITICAL/HIGH issues

ci: pin golangci-lint to v2.11
chore: bump go directive to 1.25.9
2026-06-16 14:49:25 +08:00 · 2026-04-16 23:01:13 +08:00 · 2026-04-16 21:11:23 +08:00 · 2026-04-16 20:58:02 +08:00 · 2026-04-16 18:10:07 +08:00
3 changed files with 17 additions and 2 deletions
@@ -75,6 +75,21 @@ jobs:
          load: true
          tags: drone-ssh:scan

+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: "drone-ssh:scan"
+          format: "sarif"
+          output: "trivy-image-results.sarif"
+          severity: "CRITICAL,HIGH"
+          exit-code: '1'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: "trivy-image-results.sarif"
+          category: "trivy-docker-image"
+
      - name: Build and push
        if: success()
        uses: docker/build-push-action@v7
@@ -20,7 +20,7 @@ jobs:
      - name: Setup golangci-lint
        uses: golangci/golangci-lint-action@v9
        with:
-          version: latest
+          version: v2.11
          args: --verbose

      - uses: hadolint/hadolint-action@v3.3.0
@@ -1,6 +1,6 @@
 module github.com/appleboy/drone-ssh

-go 1.25.0
+go 1.25.9

 require (
 	github.com/appleboy/easyssh-proxy v1.5.2
Author	SHA1	Message	Date
Bo-Yi Wu	16a892b3a7	ci(docker): fail push when trivy finds CRITICAL/HIGH issues	2026-04-16 23:01:13 +08:00
Bo-Yi Wu	8265cc3fb1	ci: pin golangci-lint to v2.11	2026-04-16 21:11:23 +08:00
Bo-Yi Wu	c0ae39b308	chore: bump go directive to 1.25.9	2026-04-16 20:58:02 +08:00
Bo-Yi Wu	ed85f7ef5e	ci(docker): add Trivy image scan before pushing Docker image - Add Trivy vulnerability scanner step before Docker image push - Upload SARIF results to GitHub Security tab	2026-04-16 18:10:07 +08:00