Fix Trivy reported vulnerabilites #145

	name: build and scan image (Debian version)

	on:
	push:
	branches-ignore:
	- "master"

	env:
	IMAGE_NAME: "simaofsilva/noip-renewer"
	PIP_VERSION: "23.3.1" # renovate: datasource=pypi depName=pip versioning=pep440
	GECKODRIVER_VERSION: "0.33.0" # renovate: datasource=github-tags depName=mozilla/geckodriver

	jobs:
	build_debian:
	runs-on: ubuntu-latest
	steps:
	- name: Set up QEMU
	uses: docker/[email protected]

	- name: Set up Docker Buildx
	uses: docker/[email protected]

	- name: Checkout
	uses: actions/[email protected]

	- name: Build image for tests
	uses: docker/[email protected]
	with:
	context: .
	platforms: linux/amd64
	load: true
	tags: ${{ env.IMAGE_NAME }}:test-debian
	file: Dockerfile.debian
	build-args: \|
	PIP_VERSION=${{ env.PIP_VERSION }}
	GECKODRIVER_VERSION=${{ env.GECKODRIVER_VERSION }}

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: ${{ env.IMAGE_NAME }}:test-debian
	format: "table"
	exit-code: "1"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "MEDIUM,CRITICAL,HIGH"

	# On hold until https://github.com/aquasecurity/trivy-action/issues/228 is fixed
	# - name: Upload Trivy scan results to GitHub Security
	# uses: github/codeql-action/upload-sarif@v2
	# if: always()
	# with:
	# # Path to SARIF file relative to the root of the repository
	# sarif_file: trivy-debian-image-scan.sarif
	# # Optional category for the results
	# # Used to differentiate multiple results for one commit
	# category: debian-image-scan

Provide feedback