From e8703277c4a65ebe36aa526b080d900b4f5c0401 Mon Sep 17 00:00:00 2001
From: August Felso <77752049+amfelso@users.noreply.github.com>
Date: Fri, 6 Mar 2026 07:31:00 -0500
Subject: [PATCH] Add Trivy image scan to CI/CD

---
 .github/workflows/main.yaml | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 7d31517..2fb0d30 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -26,7 +26,17 @@ jobs:
           context: app
           file: docker/Dockerfile
           push: true
-          tags: |
-            ghcr.io/amfelso/pi-agent:${{ env.SHORT_SHA }}
-            ghcr.io/amfelso/pi-agent:latest
+          tags: ghcr.io/amfelso/pi-agent:${{ env.SHORT_SHA }}
           platforms: linux/arm64
+      - name: Scan image
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/amfelso/pi-agent:${{ env.SHORT_SHA }}
+          format: table
+          exit-code: 1
+          severity: CRITICAL,HIGH
+      - name: Tag as latest
+        run: |
+          docker buildx imagetools create \
+            -t ghcr.io/amfelso/pi-agent:latest \
+            ghcr.io/amfelso/pi-agent:${{ env.SHORT_SHA }}