name: trivy-scan-image
run-name: Trivy - Scan Docker Image

on:
  workflow_dispatch: # Manuelles Auslösen des Workflows
    inputs:
      image_tag:
        description: 'Tag für das zu scannende Docker-Image z.B. latest'
        required: true
        default: 'latest'
  schedule:
    - cron: '45 1 * * 5'

env:
  image_name: mysteryhelfer
  image_tag: ${{ github.event.inputs.image_tag || 'latest' }}
  registry_gitea: gitea.tebarius.duckdns.org
  user: tebarius

jobs:
  trivy_image_scan:
    runs-on: ubuntu-latest
    container: aquasec/trivy:latest
    steps:
      - name: Scan linux/amd64-image
        run: |
          trivy image \
          --exit-code 1 \
          --scanners vuln,misconfig,secret \
          --severity HIGH,CRITICAL \
          --ignore-unfixed \
          --platform linux/amd64 \
          ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name }}:${{ env.image_tag }}
      - name: Scan linux/arm64-image
        run: |
          trivy image \
          --exit-code 1 \
          --scanners vuln,misconfig,secret \
          --severity HIGH,CRITICAL \
          --ignore-unfixed \
          --platform linux/arm64 \
          ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name }}:${{ env.image_tag }}