Container Security Scan #164

	name: Container Security Scan

	on:
	workflow_run:
	workflows:
	- "BookWorm CI"
	types:
	- completed
	branches:
	- main
	workflow_dispatch:

	permissions:
	security-events: write
	contents: read

	jobs:
	scan-containers:
	if: ${{ github.event.workflow_run.conclusion == 'success' }}
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	container:
	- "foxminchan/bookworm/basket"
	- "foxminchan/bookworm/catalog"
	- "foxminchan/bookworm/finance"
	- "foxminchan/bookworm/notification"
	- "foxminchan/bookworm/ordering"
	- "foxminchan/bookworm/rating"
	- "foxminchan/bookworm/chat"
	- "foxminchan/bookworm/mcptools"
	steps:
	- name: Sanitize container name
	id: sanitize
	shell: bash
	run: \|
	original="${{ matrix.container }}"
	sanitized="${original//\//-}"
	echo "sanitized=$sanitized" >> $GITHUB_OUTPUT

	- name: Run Trivy
	uses: aquasecurity/trivy-action@0.32.0
	with:
	image-ref: "ghcr.io/${{ matrix.container }}:latest"
	format: "sarif"
	output: "trivy-results-${{ steps.sanitize.outputs.sanitized }}.sarif"
	severity: "CRITICAL,HIGH"
	exit-code: "0"
	ignore-unfixed: true

	- name: Upload Trivy Results
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: "trivy-results-${{ steps.sanitize.outputs.sanitized }}.sarif"
	category: "container-${{ steps.sanitize.outputs.sanitized }}"

Provide feedback