name: Docker Image Scan
on:
  push:
    branches:
      - 'master'
    tags:
      - 'v*.*.*'
  pull_request:
    branches:
      - 'master'

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        name: Setup Golang
        with:
          go-version: '^1.16'
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Fetch kube-builder
        shell: bash
        run: |
          os=$(go env GOOS)
          arch=$(go env GOARCH)
          curl -sL https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.2/kubebuilder_2.3.2_${os}_${arch}.tar.gz | tar -xz -C /tmp/
          sudo mv /tmp/kubebuilder_2.3.2_${os}_${arch} /usr/local/kubebuilder
          export PATH=$PATH:/usr/local/kubebuilder/bin
          kubebuilder version
      - name: Build images
        shell: bash
        run: |
          make docker-build-notest
      - name: Anchore Scan
        uses: anchore/scan-action@v3
        with:
          image: controller:latest
          fail-build: true
      - name: Trivy Scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: controller:latest
          format: 'table'
          exit-code: '42'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'