feat(security): restructure Trivy scans for improved clarity and organization

2025-08-04 20:55:19 +02:00 · 2025-06-23 08:17:50 -04:00 · 2025-06-23 08:17:50 -04:00 · d865454cb0
commit d865454cb0
parent 12a5221b76
1 changed files with 43 additions and 23 deletions
--- a/.github/workflows/trivy_security_scans.yml
+++ b/.github/workflows/trivy_security_scans.yml
@ -13,35 +13,14 @@ on:
    - cron: "0 8 * * 1" # Weekly scan on Mondays at 8 AM UTC

 jobs:
-  trivy-scan:
-    name: Trivy Filesystem & Docker Image Scan
+  filesystem-scan:
+    name: Trivy Filesystem Scan (Source Code)
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

-      - name: Set up Docker Buildx (for consistent image builds)
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to GitHub Container Registry (optional, if pushing images)
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build Docker image
-        run: docker build -t adventurelog:latest .
-
-      - name: Scan Docker image with Trivy
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: adventurelog:latest
-          format: table
-          exit-code: 1
-          ignore-unfixed: true
-
      - name: Scan source code (Filesystem) with Trivy
        uses: aquasecurity/trivy-action@master
        with:
@ -50,3 +29,44 @@ jobs:
          format: table
          exit-code: 1
          ignore-unfixed: true
+
+  image-scan:
+    name: Trivy Docker Image Scan (Backend & Frontend)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Optional login step (remove if you're not pushing images to GHCR)
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build backend Docker image
+        run: docker build -t adventurelog-backend ./backend
+
+      - name: Build frontend Docker image
+        run: docker build -t adventurelog-frontend ./frontend
+
+      - name: Scan backend Docker image with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: adventurelog-backend
+          format: table
+          exit-code: 1
+          ignore-unfixed: true
+
+      - name: Scan frontend Docker image with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: adventurelog-frontend
+          format: table
+          exit-code: 1
+          ignore-unfixed: true