chore: scan image built in pipeline (#678)

Signed-off-by: Markus Maga <[email protected]>

Author: Flydiverny

.github/workflows/build-container.yaml

@@ -67,3 +67,21 @@ jobs:
           tags: ${{ steps.docker_meta.outputs.tags }}
           labels: ${{ steps.docker_meta.outputs.labels }}
 
+      # cant load multi arch, so we build the same arch again (everything should cache hit)
+      - name: Load for scan
+        uses: docker/build-push-action@v2
+        id: docker_load
+        with:
+          context: .
+          platforms: linux/amd64
+          load: true
+          tags: kes-scan:scan
+          labels: ${{ steps.docker_meta.outputs.labels }}
+
+      - name: Trivy Scan - High and Critical Severity
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: kes-scan:scan
+          exit-code: 1
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL

.github/workflows/workflow.yml

@@ -7,25 +7,6 @@ on:
   pull_request:
 
 jobs:
-
-  scan-container:
-    runs-on: ubuntu-18.04
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-
-      - name: Build Artifacts
-        run: docker build -t test:test .
-
-      - name: Trivy Scan - High and Critical Severity
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: test:test
-          exit-code: 1
-          ignore-unfixed: true
-          severity: HIGH,CRITICAL
-
   test:
     runs-on: ubuntu-latest
     name: Node 12