From a9a1882730087d7d9d8785267a2e66657d891169 Mon Sep 17 00:00:00 2001
From: Ayoub Benaissa <ayoub.benaissa@zama.ai>
Date: Thu, 31 Oct 2024 07:52:49 +0100
Subject: [PATCH] feat(ci): scan CP docker image with trivy

---
 .../workflows/concrete_python_push_docker_image.yml    | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/concrete_python_push_docker_image.yml b/.github/workflows/concrete_python_push_docker_image.yml
index bb21a8c471..b6403bb69e 100644
--- a/.github/workflows/concrete_python_push_docker_image.yml
+++ b/.github/workflows/concrete_python_push_docker_image.yml
@@ -34,6 +34,16 @@ jobs:
           mkdir empty_context
           docker image build -t ${{ env.NAME_TAG }} --build-arg version=${{ env.VERSION }} -f ${{ env.DOCKER_FILE }} empty_context
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+        with:
+          image-ref: '${{ env.NAME_TAG }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
       - name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with: