tehw0lf · tehw0lf · Mar 14, 2026 · Mar 14, 2026
diff --git a/.github/workflows/build-test-publish.yml b/.github/workflows/build-test-publish.yml
@@ -270,6 +270,7 @@ jobs:
       runner: ${{ inputs.runner }}
       trivy_severity: ${{ inputs.trivy_severity }}
       trivy_exit_code: ${{ inputs.trivy_exit_code }}
+      docker_meta: ${{ inputs.docker_meta }}
 
   publish_docker_image:
     if: ${{ github.event_name == 'push' && inputs.docker_meta != '' }}

diff --git a/.github/workflows/publish-docker-image.yml b/.github/workflows/publish-docker-image.yml
@@ -58,7 +58,6 @@ jobs:
       actions: read
       contents: write
       packages: write
-      security-events: write
     defaults:
       run:
         working-directory: ${{ inputs.root_dir }}
@@ -119,11 +118,6 @@ jobs:
         if: ${{ inputs.docker_pre != '' && (inputs.artifact_path == '' || steps.check_artifact_exists.outputs.exists == 'true') }}
         run: ${{ inputs.docker_pre }}
 
-      - name: detect scan platform
-        if: ${{ inputs.artifact_path == '' || steps.check_artifact_exists.outputs.exists == 'true' }}
-        run: |
-          echo "SCAN_PLATFORM=linux/$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')" >> $GITHUB_ENV
-
       - name: set up docker
         if: ${{ inputs.artifact_path == '' || steps.check_artifact_exists.outputs.exists == 'true' }}
         uses: docker/setup-buildx-action@v4
@@ -144,67 +138,6 @@ jobs:
             echo "DOCKER_VERSION_TAG=" >> $GITHUB_ENV
           fi
 
-      - name: build scan image
-        if: ${{ inputs.artifact_path == '' || steps.check_artifact_exists.outputs.exists == 'true' }}
-        uses: docker/build-push-action@v7
-        with:
-          context: .
-          file: ${{ matrix.docker.file }}
-          push: false
-          load: true
-          platforms: ${{ env.SCAN_PLATFORM }}
-          tags: ${{ matrix.docker.name }}:scan
-
-      - name: cache trivy installation
-        id: cache-trivy
-        uses: actions/cache@v5
-        with:
-          path: |
-            /usr/local/bin/trivy
-            ~/.cache/trivy
-          key: ${{ runner.os }}-trivy-v0.69.3
-          restore-keys: |
-            ${{ runner.os }}-trivy-
-
-      - name: install trivy
-        if: steps.cache-trivy.outputs.cache-hit != 'true'
-        run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.69.3
-
-      - name: trivy pre-publish scan
-        id: trivy-scan
-        run: |
-          sanitized_name=$(echo "${{ matrix.docker.name }}" | tr ':/' '--')
-          trivy image \
-            --format sarif \
-            --output "trivy-image-${sanitized_name}.sarif" \
-            --severity "MEDIUM,HIGH,CRITICAL" \
-            --exit-code 1 \
-            "${{ matrix.docker.name }}:scan"
-
-          # Generate human-readable summary
-          echo "### 🔍 Trivy Pre-Publish Scan Results: ${{ matrix.docker.name }}" >> $GITHUB_STEP_SUMMARY
-          trivy image \
-            --format table \
-            --severity "MEDIUM,HIGH,CRITICAL" \
-            "${{ matrix.docker.name }}:scan" >> $GITHUB_STEP_SUMMARY || true
-
-      - name: upload trivy pre-publish SARIF
-        if: always() && steps.trivy-scan.outcome != 'skipped'
-        uses: github/codeql-action/upload-sarif@v4
-        with:
-          sarif_file: trivy-image-*.sarif
-          category: trivy-pre-publish
-        continue-on-error: true
-
-      - name: upload security scan reports
-        if: always() && steps.trivy-scan.outcome != 'skipped'
-        uses: actions/upload-artifact@v7
-        with:
-          name: pre-publish-scan-reports-${{ matrix.docker.name }}
-          path: trivy-image-*.sarif
-          if-no-files-found: ignore
-
       - name: build and push image
         if: ${{ inputs.artifact_path == '' || steps.check_artifact_exists.outputs.exists == 'true' }}
         uses: docker/build-push-action@v7

diff --git a/.github/workflows/security-scan-artifacts.yml b/.github/workflows/security-scan-artifacts.yml
@@ -33,6 +33,11 @@ on:
         default: "1"
         required: false
         type: string
+      docker_meta:
+        description: "docker metadata as json array ([{'name':'docker-image-name','file':'docker/app/Dockerfile'}])"
+        default: ""
+        required: false
+        type: string
     outputs:
       trivy_fs_result:
         description: "trivy filesystem scan result"
@@ -135,3 +140,74 @@ jobs:
             trivy-fs-results.sarif
             ${{ steps.grype.outputs.sarif }}
           if-no-files-found: ignore
+
+      - name: cache trivy installation
+        if: ${{ inputs.docker_meta != '' }}
+        id: cache-trivy
+        uses: actions/cache@v5
+        with:
+          path: |
+            /usr/local/bin/trivy
+            ~/.cache/trivy
+          key: ${{ runner.os }}-trivy-v0.69.3
+          restore-keys: |
+            ${{ runner.os }}-trivy-
+
+      - name: install trivy
+        if: ${{ inputs.docker_meta != '' && steps.cache-trivy.outputs.cache-hit != 'true' }}
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.69.3
+
+      - name: set up docker
+        if: ${{ inputs.docker_meta != '' }}
+        uses: docker/setup-buildx-action@v4
+
+      - name: build and scan docker images
+        if: ${{ inputs.docker_meta != '' }}
+        run: |
+          echo '${{ inputs.docker_meta }}' | jq -c '.[]' | while read -r image; do
+            name=$(echo "$image" | jq -r '.name')
+            file=$(echo "$image" | jq -r '.file')
+            sanitized_name=$(echo "$name" | tr ':/' '--')
+
+            echo "::notice::[Docker Scan] Building scan image for $name"
+            docker buildx build \
+              --file "$file" \
+              --load \
+              --platform linux/amd64 \
+              --tag "$name:scan" \
+              .
+
+            echo "::notice::[Docker Scan] Scanning $name"
+            trivy image \
+              --format sarif \
+              --output "trivy-image-${sanitized_name}.sarif" \
+              --severity "${{ inputs.trivy_severity }}" \
+              --exit-code ${{ inputs.trivy_exit_code }} \
+              "$name:scan"
+
+            echo "### 🔍 Trivy Docker Scan Results: $name" >> $GITHUB_STEP_SUMMARY
+            trivy image \
+              --format table \
+              --severity "${{ inputs.trivy_severity }}" \
+              "$name:scan" >> $GITHUB_STEP_SUMMARY || true
+
+            docker rmi "$name:scan" || true
+          done
+        id: docker-scan
+
+      - name: upload docker trivy SARIF
+        if: always() && steps.docker-scan.outcome != 'skipped'
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: trivy-image-*.sarif
+          category: trivy-docker-pre-publish
+        continue-on-error: true
+
+      - name: upload docker scan reports
+        if: always() && steps.docker-scan.outcome != 'skipped'
+        uses: actions/upload-artifact@v7
+        with:
+          name: docker-scan-reports
+          path: trivy-image-*.sarif
+          if-no-files-found: ignore