From fb4c35ee32decc3d3e5c0e9dbb82ea56f61c407e Mon Sep 17 00:00:00 2001
From: Nick <nick@myschuch.com>
Date: Mon, 5 Jan 2026 21:13:31 +1000
Subject: [PATCH 1/4] Adds security scanning

---
 .github/workflows/security-scan.yml | 65 +++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 .github/workflows/security-scan.yml

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
new file mode 100644
index 0000000..8c4c974
--- /dev/null
+++ b/.github/workflows/security-scan.yml
@@ -0,0 +1,65 @@
+name: 🛡️ Security Scan (Latest)
+
+on:
+  workflow_dispatch: ~
+  schedule:
+    - cron: '0 14 * * *'
+
+permissions:
+  contents: read
+  packages: read
+  security-events: write
+
+jobs:
+  trivy_scan:
+    name: Trivy scan container images
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        image_ref:
+          - ghcr.io/skpr/node:24-v3-latest
+          - ghcr.io/skpr/node:dev-24-v3-latest
+          - ghcr.io/skpr/node:22-v3-latest
+          - ghcr.io/skpr/node:dev-22-v3-latest
+          - ghcr.io/skpr/node:20-v3-latest
+          - ghcr.io/skpr/node:dev-20-v3-latest
+
+    steps:
+      - name: 🔑 Log in to the GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: 📥 Pull image
+        run: docker pull "${{ matrix.image_ref }}"
+
+      - name: 🔍 Trivy scan (SARIF)
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: ${{ matrix.image_ref }}
+          format: sarif
+          output: trivy-results.sarif
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          vuln-type: os,library
+          exit-code: '0' # Ensure we are always reporting
+
+      - name: 🏷️ Compute SARIF category
+        id: cat
+        shell: bash
+        run: |
+          set -euo pipefail
+          ref="${{ matrix.image_ref }}"
+          cat="trivy-$(echo "$ref" | sed -E 's#^ghcr\.io/skpr/##; s#[:/]+#-#g')"
+          echo "value=$cat" >> "$GITHUB_OUTPUT"
+          echo "Category: $cat"
+
+      - name: ⬆️ Upload Trivy SARIF to Code Scanning
+        if: always()
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: trivy-results.sarif
+          category: ${{ steps.cat.outputs.value }}

From a52b64014e69ef7f0a83664e817f6dfe4b32dc1f Mon Sep 17 00:00:00 2001
From: Nick <nick@myschuch.com>
Date: Mon, 5 Jan 2026 21:13:49 +1000
Subject: [PATCH 2/4] Branch

---
 .github/workflows/security-scan.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 8c4c974..ba8528c 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -1,6 +1,8 @@
 name: 🛡️ Security Scan (Latest)
 
 on:
+  push:
+    branches: [ security-scan ]
   workflow_dispatch: ~
   schedule:
     - cron: '0 14 * * *'

From aa992740872c67b6e1c72ce76d651d823e554a83 Mon Sep 17 00:00:00 2001
From: Nick <nick@myschuch.com>
Date: Mon, 5 Jan 2026 21:15:24 +1000
Subject: [PATCH 3/4] Branch

---
 .github/workflows/security-scan.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index ba8528c..8c4c974 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -1,8 +1,6 @@
 name: 🛡️ Security Scan (Latest)
 
 on:
-  push:
-    branches: [ security-scan ]
   workflow_dispatch: ~
   schedule:
     - cron: '0 14 * * *'

From c5a259f16154a67ebd38e9cd5e1db733aa5d1755 Mon Sep 17 00:00:00 2001
From: Nick <nick@myschuch.com>
Date: Tue, 6 Jan 2026 21:22:08 +1000
Subject: [PATCH 4/4] Update to use upstream

---
 .github/workflows/security-scan.yml | 32 +++--------------------------
 1 file changed, 3 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 8c4c974..c88da4d 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -3,7 +3,7 @@ name: 🛡️ Security Scan (Latest)
 on:
   workflow_dispatch: ~
   schedule:
-    - cron: '0 14 * * *'
+    - cron: "0 14 * * *"
 
 permissions:
   contents: read
@@ -33,33 +33,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: 📥 Pull image
-        run: docker pull "${{ matrix.image_ref }}"
-
-      - name: 🔍 Trivy scan (SARIF)
-        uses: aquasecurity/trivy-action@0.24.0
+      - name: 🛡️ Scan + upload (Trivy SARIF)
+        uses: skpr/image-scan-action@v1
         with:
           image-ref: ${{ matrix.image_ref }}
-          format: sarif
-          output: trivy-results.sarif
-          severity: HIGH,CRITICAL
-          ignore-unfixed: true
-          vuln-type: os,library
-          exit-code: '0' # Ensure we are always reporting
-
-      - name: 🏷️ Compute SARIF category
-        id: cat
-        shell: bash
-        run: |
-          set -euo pipefail
-          ref="${{ matrix.image_ref }}"
-          cat="trivy-$(echo "$ref" | sed -E 's#^ghcr\.io/skpr/##; s#[:/]+#-#g')"
-          echo "value=$cat" >> "$GITHUB_OUTPUT"
-          echo "Category: $cat"
-
-      - name: ⬆️ Upload Trivy SARIF to Code Scanning
-        if: always()
-        uses: github/codeql-action/upload-sarif@v4
-        with:
-          sarif_file: trivy-results.sarif
-          category: ${{ steps.cat.outputs.value }}