.github/workflows/scan.yml

---
name: 🩻 Scan

on:
  pull_request:
    branches:
      - main

permissions: {}

jobs:
  scan:
    name: Scan
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout
        id: checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Clean Actions Runner
        id: clean_actions_runner
        uses: ministryofjustice/github-actions/clean-actions-runner@ccf9e3a4a828df1ec741f6c8e6ed9d0acaef3490 # v18.5.0
        with:
          confirm: true

      - name: Build
        id: build
        shell: bash
        env:
          IMAGE_NAME: ghcr.io/${{ github.repository }}
          IMAGE_TAG: ${{ github.sha }}
        run: |
          make build

      - name: Scan
        id: scan
        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
        env:
          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
        with:
          image-ref: ghcr.io/${{ github.repository }}:${{ github.sha }}
          severity: HIGH,CRITICAL
          exit-code: 1