From 1fa6cda7962cdfbd3971609216154bb0573441a8 Mon Sep 17 00:00:00 2001
From: Jennifer Power <barnabei.jennifer@gmail.com>
Date: Mon, 4 Dec 2023 17:57:27 -0500
Subject: [PATCH] feat: adds image scanning between build and push

Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
---
 .github/workflows/publish.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d8d48f4b..1faf0eed 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -62,6 +62,20 @@ jobs:
         run: echo "TAG=$INPUT_VERSION" >> "$GITHUB_ENV"
         env:
           INPUT_VERSION: ${{ github.event.inputs.tag }}
+      
+      - name: Build and export to Docker
+        uses: docker/build-push-action@v5
+        with:
+          load: true
+          tags: ${{ env.IMAGE_REGISTRY }}/${{ vars.QUAY_ORG }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
+      
+      - name: Pre-push Image Scan
+        uses: aquasecurity/trivy-action@0.14.0
+        with:
+          image-ref: ${{ env.IMAGE_REGISTRY }}/${{ vars.QUAY_ORG }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
+          exit-code: 1
+          scanners: secret
+          severity: HIGH,CRITICAL,MEDIUM
 
       - name: Build and Push
         uses: docker/build-push-action@v5