test cve steps

.github/workflows/build-deploy-from-branch.yml

@@ -45,3 +45,30 @@ jobs:
           secrets: |
             "gh_user=${{ secrets.GIT_USER }}"
             "gh_token=${{ secrets.GIT_PAT }}"
+
+      - name: Run the Trivy scan action itself with GitHub Advanced Security code scanning integration enabled
+        id: scan
+        uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0
+        with:
+          image-ref: "lghcr.io/${{ github.repository }}:${{ github.head_ref || github.ref_name }}"
+          format: 'sarif'
+          output: 'results.sarif'
+
+      - name: Upload Anchore Scan Report
+        uses: github/codeql-action/upload-sarif@9550da953dd3b29aedf76cd635101e48eae5eebd # CodeQL Bundle v2.17.4
+        with:
+          sarif_file: 'results.sarif'
+
+      - name: CVE Description escaped extraction and print
+        run: |
+          SCAN_RESULTS=$(jq -r 'try .runs[0].tool.driver.rules | map(.help.text) | join("\\n")' results.sarif)
+          echo "CVE_CRITICAL=$(echo $SCAN_RESULTS | grep -o CRITICAL | wc -l)" >> $GITHUB_ENV
+          echo "CVE_HIGH=$(echo $SCAN_RESULTS | grep -o HIGH | wc -l)" >> $GITHUB_ENV
+          echo "CVE_MEDIUM=$(echo $SCAN_RESULTS | grep -o MEDIUM | wc -l)" >> $GITHUB_ENV
+          
+          echo $SCAN_RESULTS
+
+      - name: Fails if CVE HIGH or CRITICAL are detected
+        id: cve-threshold
+        if: env.CVE_HIGH > 0 || env.CVE_CRITICAL > 0
+        run: exit 1