From 92ca609c7c0ed872922db0de118dd42ac66d59c4 Mon Sep 17 00:00:00 2001
From: ShubhamPalriwala <spalriwalau@gmail.com>
Date: Tue, 5 Oct 2021 11:52:06 +0530
Subject: [PATCH] ci: scan kyverno-image on each build

Signed-off-by: ShubhamPalriwala <spalriwalau@gmail.com>
---
 .github/workflows/build.yaml   | 10 ++++++++++
 .github/workflows/release.yaml | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 68ac4be20f..d1aa7c6288 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -113,6 +113,16 @@ jobs:
         run: |
           make docker-build-kyverno
 
+      - name: Trivy Scan Image
+        uses: aquasecurity/trivy-action@master
+        with: 
+          image-ref: 'ghcr.io/kyverno/kyverno:latest'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
   build-kyverno-cli:
     runs-on: ubuntu-latest
     needs: pre-checks
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index eb8961226b..10ad75570e 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -84,6 +84,16 @@ jobs:
         run: |
           make docker-publish-kyverno
 
+      - name: Trivy Scan Image
+        uses: aquasecurity/trivy-action@master
+        with: 
+          image-ref: 'ghcr.io/kyverno/kyverno:latest'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
   release-kyverno-cli:
     runs-on: ubuntu-latest
     steps: