From f219e7e36f5958ce385f4a126104d7dbebbe0268 Mon Sep 17 00:00:00 2001
From: MaxymVlasov <MaxymVlasov@users.noreply.github.com>
Date: Thu, 7 Aug 2025 18:38:17 +0300
Subject: [PATCH 1/6] chore(security): Add trivy scanner for image
 vulnerabilities

---
 .github/workflows/trivy.yaml | 41 ++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 .github/workflows/trivy.yaml

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
new file mode 100644
index 000000000..2fa978160
--- /dev/null
+++ b/.github/workflows/trivy.yaml
@@ -0,0 +1,41 @@
+name: Trivy Image Scanner
+
+on:
+  push:
+    branches:
+    - main
+  schedule:
+  - cron: 0 11 * * 2
+
+permissions:
+  contents: read
+
+jobs:
+  latest-scan:
+    name: Scan Latest Image tag
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Pull image
+      run: docker pull ghcr.io/antonbabenko/pre-commit-terraform:latest
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4  # v0.32.0
+      with:
+        image-ref: ghcr.io/antonbabenko/pre-commit-terraform:latest
+        exit-code: '1'
+        ignore-unfixed: true
+
+  nightly-scan:
+    name: Scan Nightly Image tag
+    runs-on: ubuntu-latest
+    steps:
+    - name: Pull image
+      run: docker pull ghcr.io/antonbabenko/pre-commit-terraform:nightly
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4  # v0.32.0
+      with:
+        image-ref: ghcr.io/antonbabenko/pre-commit-terraform:nightly
+        exit-code: '1'
+        ignore-unfixed: true

From 5c015b1ea9f5edcb8a85fbd5270ab0c605d78688 Mon Sep 17 00:00:00 2001
From: MaxymVlasov <MaxymVlasov@users.noreply.github.com>
Date: Thu, 7 Aug 2025 18:43:22 +0300
Subject: [PATCH 2/6] Trigger scan for each nightly build, and add ability to
 trigger it manually

---
 .github/workflows/trivy.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index 2fa978160..808675fa1 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -1,11 +1,12 @@
 name: Trivy Image Scanner
 
 on:
+  workflow_dispatch:
   push:
     branches:
     - main
   schedule:
-  - cron: 0 11 * * 2
+  - cron: 00 01 * * *
 
 permissions:
   contents: read

From a3843af0c8ff8e79ee7854d5836c1f9de5d2af3b Mon Sep 17 00:00:00 2001
From: MaxymVlasov <MaxymVlasov@users.noreply.github.com>
Date: Thu, 7 Aug 2025 18:45:26 +0300
Subject: [PATCH 3/6] test it

---
 .github/workflows/build-image.yaml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml
index ae6e407d0..930d48477 100644
--- a/.github/workflows/build-image.yaml
+++ b/.github/workflows/build-image.yaml
@@ -2,9 +2,7 @@ name: Publish container image
 
 on:
   workflow_dispatch:
-  release:
-    types:
-    - created
+  pull_request:
   schedule:
   - cron: 00 00 * * *
 

From 040f1c4a2d7012a81e146768668b200d4606fadb Mon Sep 17 00:00:00 2001
From: Maksym Vlasov <MaxymVlasov@users.noreply.github.com>
Date: Thu, 7 Aug 2025 18:46:19 +0300
Subject: [PATCH 4/6] Discard changes to .github/workflows/build-image.yaml

---
 .github/workflows/build-image.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml
index 930d48477..ae6e407d0 100644
--- a/.github/workflows/build-image.yaml
+++ b/.github/workflows/build-image.yaml
@@ -2,7 +2,9 @@ name: Publish container image
 
 on:
   workflow_dispatch:
-  pull_request:
+  release:
+    types:
+    - created
   schedule:
   - cron: 00 00 * * *
 

From 00ba771424d9b6ea910c0053902325b001cd4a56 Mon Sep 17 00:00:00 2001
From: MaxymVlasov <MaxymVlasov@users.noreply.github.com>
Date: Thu, 7 Aug 2025 18:47:02 +0300
Subject: [PATCH 5/6] test

---
 .github/workflows/trivy.yaml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index 808675fa1..823ac6381 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -2,9 +2,7 @@ name: Trivy Image Scanner
 
 on:
   workflow_dispatch:
-  push:
-    branches:
-    - main
+  pull_request:
   schedule:
   - cron: 00 01 * * *
 

From cb46cc6800d4c00f7e6e08d55738bb113c22a7d5 Mon Sep 17 00:00:00 2001
From: MaxymVlasov <MaxymVlasov@users.noreply.github.com>
Date: Thu, 7 Aug 2025 18:52:28 +0300
Subject: [PATCH 6/6] Try severity: 'CRITICAL'

---
 .github/workflows/trivy.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index 823ac6381..3b3c8bf65 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -23,6 +23,7 @@ jobs:
       with:
         image-ref: ghcr.io/antonbabenko/pre-commit-terraform:latest
         exit-code: '1'
+        severity: CRITICAL
         ignore-unfixed: true
 
   nightly-scan:
@@ -37,4 +38,5 @@ jobs:
       with:
         image-ref: ghcr.io/antonbabenko/pre-commit-terraform:nightly
         exit-code: '1'
+        severity: CRITICAL
         ignore-unfixed: true