From cb0df814854072df332460b14cf2af598446e136 Mon Sep 17 00:00:00 2001
From: Martijn Kamphuis <mkamphuis@outlook.com>
Date: Thu, 9 Jan 2025 10:56:10 +0100
Subject: [PATCH] Add container scanning

---
 .github/workflows/delivery.yml | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/delivery.yml b/.github/workflows/delivery.yml
index 1730a6b..1b75ed0 100644
--- a/.github/workflows/delivery.yml
+++ b/.github/workflows/delivery.yml
@@ -1,6 +1,8 @@
 name: Delivery
 
 on: 
+  pull_request:
+    types: [synchronize, opened, reopened]
   push:
     branches: [ master ]
   release:
@@ -34,10 +36,29 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}      
       
-      - name: Build container and push to GitHub Container Registry
+      - name: Build container and export to local Docker
         uses: docker/build-push-action@v5
         with:
           context: .
-          push: true
+          load: true
+          tags: local/yivitube:scan
+      
+      - name: Scan Image
+        uses: anchore/scan-action@v3
+        id: scan
+        with:
+          image: local/yivitube:scan
+          fail-build: true
+          output-format: sarif
+  
+      - name: Upload Anchore Scan SARIF Report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+      
+      - name: Push image to GitHub Container Registry
+        uses: docker/build-push-action@v5
+        with:
+          push: github.event_name != 'pull_request'
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
\ No newline at end of file