voyage/.github/workflows/trivy_security_scans.yml

name: Trivy Security Scans

permissions:
  contents: read
  # Needed if you later add SARIF upload to GitHub Security
  # security-events: write

on:
  push:
    branches:
      - main
      - development
  pull_request:
    branches:
      - main
      - development
  schedule:
    - cron: "0 8 * * 1" # Weekly on Mondays at 8 AM UTC

jobs:
  filesystem-scan:
    name: Trivy Filesystem Scan (Source Code)
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Scan source code (Filesystem) with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: fs
          scan-ref: .
          format: table
          exit-code: 1
          ignore-unfixed: true
          severity: CRITICAL,HIGH
          # Use .trivyignore to suppress known false positives
          trivyignores: .trivyignore

  image-scan:
    name: Trivy Docker Image Scan (Backend & Frontend)
    runs-on: ubuntu-latest
    env:
      BUN_VERSION: "1.3.10"
      PYTHON_IMAGE: "python:3.13-slim"

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build backend Docker image
        run: docker build --build-arg PYTHON_IMAGE=${{ env.PYTHON_IMAGE }} -t voyage-backend ./backend

      - name: Build frontend Docker image
        run: docker build --build-arg BUN_VERSION=${{ env.BUN_VERSION }} -t voyage-frontend ./frontend

      - name: Scan backend Docker image with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: voyage-backend
          format: table
          exit-code: 1
          ignore-unfixed: true
          severity: CRITICAL,HIGH
          trivyignores: .trivyignore

      - name: Scan frontend Docker image with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: voyage-frontend
          format: table
          exit-code: 1
          ignore-unfixed: true
          severity: CRITICAL,HIGH
          trivyignores: .trivyignore