Add image scan to build

.github/workflows/build.yaml

@@ -38,6 +38,23 @@ jobs:
         uses: docker/setup-qemu-action@v1
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
+      - uses: docker/build-push-action@v2
+        with:
+          context: ./build
+          file: ./build/Dockerfile
+          platforms: linux/amd64,linux/arm64/v8,linux/arm/v7
+          load: true
+          labels: protonmail-bridge:latest
+      - name: Scan image
+        uses: anchore/scan-action@v2
+        with:
+          image: protonmail-bridge:latest
+          fail-build: true
+          severity-cutoff: critical
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
       - name: Login to DockerHub
         uses: docker/login-action@v1
         if: ${{ github.event_name != 'pull_request' }}

.github/workflows/deb.yaml

@@ -36,12 +36,6 @@ jobs:
           images: ${{ steps.repo.outputs.repo }}
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        if: ${{ github.event_name != 'pull_request' }}
-        with:
-          username: ${{ secrets.REGISTRY_USERNAME }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
       - name: Build image without push
         uses: docker/build-push-action@v2
         with:
@@ -59,6 +53,12 @@ jobs:
         uses: github/codeql-action/upload-sarif@v1
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
       - name: Push image
         uses: docker/build-push-action@v2
         with: