main.yml

name: Build, Push, and Deploy

on:
  push:
    branches:
      - master

jobs:
  build:
    runs-on: ubuntu-latest
      
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1

      - uses: actions/checkout@v2
      - name: Set env
        run: echo "GITHUB_BRANCH=$(echo $GITHUB_REF_NAME-$GITHUB_SHA)" >> $GITHUB_ENV  
 
      - name: Build Docker image
        run: |
          docker buildx create --use
          docker buildx inspect default --bootstrap
          docker buildx build --file Dockerfile -t mhaidir32/node-js-sample-akash:$GITHUB_REF_NAME-$GITHUB_SHA --load .     

  container_scanning:
      runs-on: ubuntu-latest
      needs: build
      steps:
        - name: Checkout code
          uses: actions/checkout@v2
        - name: Set up Docker Buildx
          uses: docker/setup-buildx-action@v1
        - name: build local container
          uses: docker/build-push-action@v2
          with:
            tags: mhaidir32/node-js-sample-akash:${{ github.sha }}
            push: false
            load: true
        - name: Run Trivy vulnerability scanner
          uses: aquasecurity/trivy-action@master
          with:
            image-ref: 'mhaidir32/node-js-sample-akash:${{ github.sha }}'
            format: 'sarif'
            exit-code: '1'
            ignore-unfixed: true
            vuln-type: 'os,library'
            severity: 'CRITICAL,HIGH'
            output: 'trivy-results.sarif'
          continue-on-error: true
        - name: Display structure of downloaded files
          run: ls -lah
        - name: display path
          run: pwd
        - name: download artifact
          uses: actions/download-artifact@v4
          with:
            path: .
            name: 'trivy-results.sarif'
        - name: Upload Trivy SARIF Report
          uses: github/codeql-action/upload-sarif@v2
          with:
            sarif_file: 'trivy-results.sarif'