name: image-scanning
on:
  push:
    # Exclude branches created by Dependabot to avoid triggering current workflow
    # for PRs initiated by Dependabot.
    branches-ignore:
      - 'dependabot/**'
permissions:
  contents: read
jobs:
  use-trivy-to-scan-image:
    permissions:
      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
    name: image-scanning
    if: ${{ github.repository == 'karmada-io/karmada' }}
    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
        target:
          - karmada-controller-manager
          - karmada-scheduler
          - karmada-descheduler
          - karmada-webhook
          - karmada-agent
          - karmada-scheduler-estimator
          - karmada-interpreter-webhook-example
          - karmada-aggregated-apiserver
          - karmada-search
          - karmada-operator
          - karmada-metrics-adapter
    steps:
      - name: checkout code
        uses: actions/checkout@v4
      - name: install Go
        uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
      - name: Build an image from Dockerfile
        run: |
          export VERSION="latest"
          export REGISTRY="docker.io/karmada"
          make image-${{ matrix.target }}
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: 'docker.io/karmada/${{ matrix.target }}:latest'
          format: 'sarif'
          ignore-unfixed: true
          vuln-type: 'os,library'
          output: 'trivy-results.sarif'
      - name: display scan results
        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: 'docker.io/karmada/${{ matrix.target }}:latest'
          format: 'table'
          ignore-unfixed: true
          vuln-type: 'os,library'
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'