From 38af88a0e3d3f7c31e093869c70fc74a2a24959f Mon Sep 17 00:00:00 2001
From: Simon Ungar Felding <45149055+simonfelding@users.noreply.github.com>
Date: Thu, 24 Apr 2025 22:30:07 +0200
Subject: [PATCH] trivy instead of anchore.

---
 .github/workflows/build.yaml | 38 +++++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 062c8b4..70bbe20 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -61,18 +61,20 @@ jobs:
           tags: "${{ env.DOCKER_REPO_DEV }}:${{ github.ref_name }}"
           build-args: |
             version=${{ env.version }}
-      - name: Scan image
-        id: scan
-        uses: anchore/scan-action@v6
+
+      - name: Run Trivy vulnerability scan
+        uses: aquasecurity/trivy-action@0.30.0
         with:
-          image: "${{ env.DOCKER_REPO_DEV }}:${{ github.ref_name }}"
-          fail-build: false
-          severity-cutoff: critical
-          output-format: sarif
-      - name: Upload Anchore scan SARIF report
+          image-ref: "${{ env.DOCKER_REPO_DEV }}:${{ github.ref_name }}"
+          format: 'sarif'
+          exit-code: 0
+          severity: 'CRITICAL,HIGH'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan SARIF report
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+          sarif_file: 'trivy-results.sarif'
 
   build:
     runs-on: ubuntu-latest
@@ -146,18 +148,18 @@ jobs:
           digest="${{ steps.build.outputs.digest }}"
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
-      - name: Scan image
-        id: scan
-        uses: anchore/scan-action@v6
+      - name: Run Trivy vulnerability scan
+        uses: aquasecurity/trivy-action@0.30.0
         with:
-          image: ${{ env.DOCKERHUB_REPO }}/protonmail-bridge:${{ steps.build.outputs.digest }}
-          fail-build: true
-          severity-cutoff: critical
-          output-format: sarif
-      - name: Upload Anchore scan SARIF report
+          image-ref: "${{ env.DOCKERHUB_REPO }}:${{ env.version }}-build"
+          format: 'sarif'
+          exit-code: 0
+          severity: 'CRITICAL,HIGH'
+          output: 'trivy-results.sarif'
+      - name: Upload Trivy scan SARIF report
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+          sarif_file: 'trivy-results.sarif'
 
       - name: Upload digest
         uses: actions/upload-artifact@v4