From 1d19b08b7edf4c391da1412e3f38276190c1a44b Mon Sep 17 00:00:00 2001
From: Nathanial Lubitz <nate.lubitz@gmail.com>
Date: Fri, 5 Jun 2026 17:02:41 +1000
Subject: [PATCH] add security scans

---
 Dockerfile    |  4 +++-
 action.yml    |  9 +++++++++
 entrypoint.sh | 18 ++++++++++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index a451e05..4ed7c52 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,7 +7,9 @@ FROM alpine:3.19
 COPY --from=builder /app/kforge /usr/local/bin/kforge
 RUN apk add --no-cache curl docker-cli && \
     curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
-    install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+    install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl && \
+    curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
diff --git a/action.yml b/action.yml
index 15d5b6e..8ded03d 100644
--- a/action.yml
+++ b/action.yml
@@ -40,6 +40,15 @@ inputs:
     description: "Kubernetes service account token"
     required: true
 
+  scan_image:
+    description: "Scan image for vulnerabilities before pushing"
+    required: false
+    default: "true"
+  scan_severity:
+    description: "Fail on these severity levels (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)"
+    required: false
+    default: "HIGH,CRITICAL"
+
 # outputs:
 #   output_file:
 #     description: "Path to the generated Kubernetes YAML file"
diff --git a/entrypoint.sh b/entrypoint.sh
index 417c627..2054910 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -67,6 +67,15 @@ if [ -n "$INPUT_IMAGE_NAME" ]; then
   if [ -n "$INPUT_IMAGE_TAG" ]; then
     echo "Building image $FULL_IMAGE:$INPUT_IMAGE_TAG..."
     docker build -t "$FULL_IMAGE:$INPUT_IMAGE_TAG" -f "$INPUT_DOCKERFILE" .
+
+    echo "Scanning image for vulnerabilities..."
+    trivy image \
+      --exit-code 1 \
+      --severity "$INPUT_SCAN_SEVERITY" \
+      --no-progress \
+      "$FULL_IMAGE:$INPUT_IMAGE_TAG"
+
+    echo "Scan passed, pushing image..."
     docker push "$FULL_IMAGE:$INPUT_IMAGE_TAG"
   else
     SHA=$(echo "$GITHUB_SHA" | cut -c1-7)
@@ -75,6 +84,15 @@ if [ -n "$INPUT_IMAGE_NAME" ]; then
       -t "$FULL_IMAGE:latest" \
       -t "$FULL_IMAGE:$SHA" \
       -f "$INPUT_DOCKERFILE" .
+
+    echo "Scanning image for vulnerabilities..."
+    trivy image \
+      --exit-code 1 \
+      --severity "$INPUT_SCAN_SEVERITY" \
+      --no-progress \
+      "$FULL_IMAGE:latest"
+
+    echo "Scan passed, pushing image..."
     docker push "$FULL_IMAGE:latest"
     docker push "$FULL_IMAGE:$SHA"