name: Docker Image Scan
on:
  push:
    branches:
      - "master"
    tags:
      - "v*.*.*"
  pull_request:
    branches:
      - "master"

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        name: Setup Golang
        with:
          go-version: "1.23"
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build images
        shell: bash
        run: |
          make docker-build-notest
      - name: Anchore Scanner
        uses: anchore/scan-action@v3
        id: grype-scan
        with:
          image: controller:latest
          fail-build: true
          severity-cutoff: high
          debug: false
          acs-report-enable: true
      - name: Anchore upload scan SARIF report
        if: always()
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: ${{ steps.grype-scan.outputs.sarif }}
      - name: Trivy Scanner
        uses: aquasecurity/trivy-action@master
        if: ${{ always() }}
        with:
          image-ref: controller:latest
          format: "table"
          exit-code: "42"
          ignore-unfixed: true
          vuln-type: "os,library"
          severity: "CRITICAL,HIGH"
      - name: Dockle Linter
        uses: erzz/dockle-action@v1.3.1
        if: ${{ always() }}
        with:
          image: controller:latest
          exit-code: 42
          failure-threshold: fatal