.github/workflows/grype.yaml

name: Docker Image Scan

on:
  pull_request:
    branches: [ main ]
    paths:
      - 'Dockerfile'
      - 'docker-compose*.yml'
      - '.docker/**'

jobs:
  scan:
    name: Build and Scan
    runs-on: ubuntu-latest
    environment: security
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}
      cancel-in-progress: true

    steps:
    - name: Notify on failure
      if: failure()
      uses: actions/github-script@v6
      with:
        script: |
          github.rest.issues.createComment({
            issue_number: context.issue.number,
            owner: context.repo.owner,
            repo: context.repo.repo,
            body: '❌ Container security scan failed. Please check the workflow logs.'
          })
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Build local container
        uses: docker/build-push-action@v4
        with:
          tags: localbuild/testimage:latest
          push: false
          load: true

      - name: Scan image
        uses: anchore/scan-action@v3
        with:
          image: "localbuild/testimage:latest"
          fail-build: true
          severity-cutoff: high

      - name: Upload scan results
        uses: github/codeql-action/upload-sarif@v2
        if: success() || failure()
        with:
          sarif_file: results.sarif