feat: fail docker-build on CRITICAL or HIGH vulnerabilities with fix available

[jbern0rd]

Note

Tightens Docker image security in the CI workflow and defers pushing until after vulnerability checks.

• Build a local linux/amd64 image with load: true (no push) for scanning
• Upgrade aquasecurity/trivy-action to 0.33.1 and scan the built image via image-ref (remove tarball path)
• Add gating step to fail the job on CRITICAL/HIGH vulnerabilities with fixes available (ignore-unfixed: true, exit-code: 1)
• If checks pass, build and push multi-platform image using inputs.platforms; add cleanup of scan artifacts and local image

^{Written by Cursor Bugbot for commit 7e1a111. This will update automatically on new commits. Configure here.}

[abbesBenayache]

⚠️ load: true is not compatible with multi-platform builds. Docker can only load a single architecture image locally.

[jbern0rd]

see 0d18116

[abbesBenayache]

Trivy is executed twice (around line 88).
In my opinion, we can merge this into a single scan using exit-code: 1.
If we still want to publish the report before failing, we can use continue-on-error and then check the exit code.

[jbern0rd]

Trivy is executed twice to allow for a full scan and a restrictive scan only on CRITICAL and HIGH.
This can be improved and is inspired by
https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#skipping-setup-when-calling-trivy-action-multiple-times

[abbesBenayache]

There is a double build. I think we can push the already built image after it has been scanned, without rebuilding the image again.

[jbern0rd]

Only works if load can be used, in the other case, the tag is not created locally and the image is not available through docker client

[abbesBenayache]

Suggested change

	- name: Build and push Docker image
	if: ${{ inputs.push }}
	uses: docker/build-push-action@v6
	with:
	build-args: ${{ inputs.build-args }}
	context: ${{ inputs.context }}
	file: ${{ inputs.dockerfile }}
	platforms: ${{ inputs.platforms }}
	push: true
	tags: ${{ inputs.image-name }}:${{ inputs.image-tag }}
	- name: Push Docker image
	if: ${{ inputs.push }}
	run: docker push ${{ inputs.image-name }}:${{ inputs.image-tag }}

[jbern0rd]

If I do this, with a single platform build, multi-platform build will be broken.

[cursor]

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Security scan only covers one platform, not all pushed

High Severity

The security scan only runs on the linux/amd64 image (hardcoded at line 83), but the final push step uses ${{ inputs.platforms }} which defaults to "linux/amd64,linux/arm64". This means arm64 images (and any other non-amd64 platforms) are pushed to the registry without being scanned for vulnerabilities. Different architectures can have different base images with different vulnerabilities, defeating the purpose of failing builds on CRITICAL or HIGH vulnerabilities.

Additional Locations (1)

• .github/workflows/docker-build.yml#L204-L205