veza/docs/archive/workflows/container-scan.yml.disabled

name: Container Image Scan

on:
    push:
        branches: [main]
        paths:
            - "veza-backend-api/Dockerfile*"
            - "apps/web/Dockerfile*"
            - "veza-stream-server/Dockerfile*"
    pull_request:
        branches: [main]
        paths:
            - "veza-backend-api/Dockerfile*"
            - "apps/web/Dockerfile*"
            - "veza-stream-server/Dockerfile*"
    workflow_dispatch:

env:
    GIT_SSL_NO_VERIFY: "true"
    NODE_TLS_REJECT_UNAUTHORIZED: "0"

jobs:
    scan-backend:
        name: Scan Backend Image
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

            - name: Build backend image
              run: docker build -t veza-backend:scan -f veza-backend-api/Dockerfile.production veza-backend-api/

            - name: Run Trivy vulnerability scanner
              uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0
              with:
                  image-ref: "veza-backend:scan"
                  format: "table"
                  exit-code: "1"
                  severity: "CRITICAL,HIGH"
                  ignore-unfixed: true

    scan-stream-server:
        name: Scan Stream Server Image
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

            - name: Build stream server image
              run: docker build -t veza-stream:scan -f veza-stream-server/Dockerfile .

            - name: Run Trivy vulnerability scanner
              uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0
              with:
                  image-ref: "veza-stream:scan"
                  format: "table"
                  exit-code: "1"
                  severity: "CRITICAL,HIGH"
                  ignore-unfixed: true

    scan-frontend:
        name: Scan Frontend Image
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

            - name: Check if frontend Dockerfile exists
              id: check
              run: |
                  if [ -f "apps/web/Dockerfile" ] || [ -f "apps/web/Dockerfile.production" ]; then
                    echo "exists=true" >> $GITHUB_OUTPUT
                  else
                    echo "exists=false" >> $GITHUB_OUTPUT
                  fi

            - name: Build frontend image
              if: steps.check.outputs.exists == 'true'
              run: |
                  DOCKERFILE=$([ -f "apps/web/Dockerfile.production" ] && echo "apps/web/Dockerfile.production" || echo "apps/web/Dockerfile")
                  docker build -t veza-frontend:scan -f "$DOCKERFILE" apps/web/

            - name: Run Trivy vulnerability scanner
              if: steps.check.outputs.exists == 'true'
              uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0
              with:
                  image-ref: "veza-frontend:scan"
                  format: "table"
                  exit-code: "1"
                  severity: "CRITICAL,HIGH"
                  ignore-unfixed: true
feat(v0.501): Sprint 5 -- integration, tests, and cleanup - INT-01: Add E2E streaming tests (upload -> HLS auth) - INT-02: Add E2E cloud tests (CRUD auth, public gear) - INT-03: Split track/handler.go into 4 focused sub-handlers - INT-04: Create migration squash script + MIGRATIONS.md - INT-05: Add Trivy container image scanning CI workflow - INT-06: Replace production console.log with structured logger 2026-02-22 17:40:07 +00:00			`name: Container Image Scan`

			`on:`
ci: fix duplicate env block in staging-validation workflow Merge SSL env vars into existing env block instead of creating a duplicate (YAML doesn't allow duplicate top-level keys). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-09 12:51:10 +00:00			`push:`
			`branches: [main]`
			`paths:`
			`- "veza-backend-api/Dockerfile*"`
			`- "apps/web/Dockerfile*"`
			`- "veza-stream-server/Dockerfile*"`
			`pull_request:`
			`branches: [main]`
			`paths:`
			`- "veza-backend-api/Dockerfile*"`
			`- "apps/web/Dockerfile*"`
			`- "veza-stream-server/Dockerfile*"`
			`workflow_dispatch:`

			`env:`
			`GIT_SSL_NO_VERIFY: "true"`
			`NODE_TLS_REJECT_UNAUTHORIZED: "0"`
feat(v0.501): Sprint 5 -- integration, tests, and cleanup - INT-01: Add E2E streaming tests (upload -> HLS auth) - INT-02: Add E2E cloud tests (CRUD auth, public gear) - INT-03: Split track/handler.go into 4 focused sub-handlers - INT-04: Create migration squash script + MIGRATIONS.md - INT-05: Add Trivy container image scanning CI workflow - INT-06: Replace production console.log with structured logger 2026-02-22 17:40:07 +00:00
			`jobs:`
ci: fix duplicate env block in staging-validation workflow Merge SSL env vars into existing env block instead of creating a duplicate (YAML doesn't allow duplicate top-level keys). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-09 12:51:10 +00:00			`scan-backend:`
			`name: Scan Backend Image`
			`runs-on: ubuntu-latest`
			`steps:`
			`- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2`
feat(v0.501): Sprint 5 -- integration, tests, and cleanup - INT-01: Add E2E streaming tests (upload -> HLS auth) - INT-02: Add E2E cloud tests (CRUD auth, public gear) - INT-03: Split track/handler.go into 4 focused sub-handlers - INT-04: Create migration squash script + MIGRATIONS.md - INT-05: Add Trivy container image scanning CI workflow - INT-06: Replace production console.log with structured logger 2026-02-22 17:40:07 +00:00
ci: fix duplicate env block in staging-validation workflow Merge SSL env vars into existing env block instead of creating a duplicate (YAML doesn't allow duplicate top-level keys). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-09 12:51:10 +00:00			`- name: Build backend image`
			`run: docker build -t veza-backend:scan -f veza-backend-api/Dockerfile.production veza-backend-api/`
feat(v0.501): Sprint 5 -- integration, tests, and cleanup - INT-01: Add E2E streaming tests (upload -> HLS auth) - INT-02: Add E2E cloud tests (CRUD auth, public gear) - INT-03: Split track/handler.go into 4 focused sub-handlers - INT-04: Create migration squash script + MIGRATIONS.md - INT-05: Add Trivy container image scanning CI workflow - INT-06: Replace production console.log with structured logger 2026-02-22 17:40:07 +00:00
ci: fix duplicate env block in staging-validation workflow Merge SSL env vars into existing env block instead of creating a duplicate (YAML doesn't allow duplicate top-level keys). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-09 12:51:10 +00:00			`- name: Run Trivy vulnerability scanner`
			`uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0`
			`with:`
			`image-ref: "veza-backend:scan"`
			`format: "table"`
			`exit-code: "1"`
			`severity: "CRITICAL,HIGH"`
			`ignore-unfixed: true`
feat(v0.501): Sprint 5 -- integration, tests, and cleanup - INT-01: Add E2E streaming tests (upload -> HLS auth) - INT-02: Add E2E cloud tests (CRUD auth, public gear) - INT-03: Split track/handler.go into 4 focused sub-handlers - INT-04: Create migration squash script + MIGRATIONS.md - INT-05: Add Trivy container image scanning CI workflow - INT-06: Replace production console.log with structured logger 2026-02-22 17:40:07 +00:00
ci: fix duplicate env block in staging-validation workflow Merge SSL env vars into existing env block instead of creating a duplicate (YAML doesn't allow duplicate top-level keys). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-09 12:51:10 +00:00			`scan-stream-server:`
			`name: Scan Stream Server Image`
			`runs-on: ubuntu-latest`
			`steps:`
			`- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2`
feat(v0.501): Sprint 5 -- integration, tests, and cleanup - INT-01: Add E2E streaming tests (upload -> HLS auth) - INT-02: Add E2E cloud tests (CRUD auth, public gear) - INT-03: Split track/handler.go into 4 focused sub-handlers - INT-04: Create migration squash script + MIGRATIONS.md - INT-05: Add Trivy container image scanning CI workflow - INT-06: Replace production console.log with structured logger 2026-02-22 17:40:07 +00:00
ci: fix duplicate env block in staging-validation workflow Merge SSL env vars into existing env block instead of creating a duplicate (YAML doesn't allow duplicate top-level keys). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-09 12:51:10 +00:00			`- name: Build stream server image`
			`run: docker build -t veza-stream:scan -f veza-stream-server/Dockerfile .`
feat(v0.501): Sprint 5 -- integration, tests, and cleanup - INT-01: Add E2E streaming tests (upload -> HLS auth) - INT-02: Add E2E cloud tests (CRUD auth, public gear) - INT-03: Split track/handler.go into 4 focused sub-handlers - INT-04: Create migration squash script + MIGRATIONS.md - INT-05: Add Trivy container image scanning CI workflow - INT-06: Replace production console.log with structured logger 2026-02-22 17:40:07 +00:00
ci: fix duplicate env block in staging-validation workflow Merge SSL env vars into existing env block instead of creating a duplicate (YAML doesn't allow duplicate top-level keys). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-09 12:51:10 +00:00			`- name: Run Trivy vulnerability scanner`
			`uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0`
			`with:`
			`image-ref: "veza-stream:scan"`
			`format: "table"`
			`exit-code: "1"`
			`severity: "CRITICAL,HIGH"`
			`ignore-unfixed: true`
feat(v0.501): Sprint 5 -- integration, tests, and cleanup - INT-01: Add E2E streaming tests (upload -> HLS auth) - INT-02: Add E2E cloud tests (CRUD auth, public gear) - INT-03: Split track/handler.go into 4 focused sub-handlers - INT-04: Create migration squash script + MIGRATIONS.md - INT-05: Add Trivy container image scanning CI workflow - INT-06: Replace production console.log with structured logger 2026-02-22 17:40:07 +00:00
ci: fix duplicate env block in staging-validation workflow Merge SSL env vars into existing env block instead of creating a duplicate (YAML doesn't allow duplicate top-level keys). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-09 12:51:10 +00:00			`scan-frontend:`
			`name: Scan Frontend Image`
			`runs-on: ubuntu-latest`
			`steps:`
			`- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2`
feat(v0.501): Sprint 5 -- integration, tests, and cleanup - INT-01: Add E2E streaming tests (upload -> HLS auth) - INT-02: Add E2E cloud tests (CRUD auth, public gear) - INT-03: Split track/handler.go into 4 focused sub-handlers - INT-04: Create migration squash script + MIGRATIONS.md - INT-05: Add Trivy container image scanning CI workflow - INT-06: Replace production console.log with structured logger 2026-02-22 17:40:07 +00:00
ci: fix duplicate env block in staging-validation workflow Merge SSL env vars into existing env block instead of creating a duplicate (YAML doesn't allow duplicate top-level keys). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-09 12:51:10 +00:00			`- name: Check if frontend Dockerfile exists`
			`id: check`
			`run: \|`
			`if [ -f "apps/web/Dockerfile" ] \|\| [ -f "apps/web/Dockerfile.production" ]; then`
			`echo "exists=true" >> $GITHUB_OUTPUT`
			`else`
			`echo "exists=false" >> $GITHUB_OUTPUT`
			`fi`
feat(v0.501): Sprint 5 -- integration, tests, and cleanup - INT-01: Add E2E streaming tests (upload -> HLS auth) - INT-02: Add E2E cloud tests (CRUD auth, public gear) - INT-03: Split track/handler.go into 4 focused sub-handlers - INT-04: Create migration squash script + MIGRATIONS.md - INT-05: Add Trivy container image scanning CI workflow - INT-06: Replace production console.log with structured logger 2026-02-22 17:40:07 +00:00
ci: fix duplicate env block in staging-validation workflow Merge SSL env vars into existing env block instead of creating a duplicate (YAML doesn't allow duplicate top-level keys). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-09 12:51:10 +00:00			`- name: Build frontend image`
			`if: steps.check.outputs.exists == 'true'`
			`run: \|`
			`DOCKERFILE=$([ -f "apps/web/Dockerfile.production" ] && echo "apps/web/Dockerfile.production" \|\| echo "apps/web/Dockerfile")`
			`docker build -t veza-frontend:scan -f "$DOCKERFILE" apps/web/`
feat(v0.501): Sprint 5 -- integration, tests, and cleanup - INT-01: Add E2E streaming tests (upload -> HLS auth) - INT-02: Add E2E cloud tests (CRUD auth, public gear) - INT-03: Split track/handler.go into 4 focused sub-handlers - INT-04: Create migration squash script + MIGRATIONS.md - INT-05: Add Trivy container image scanning CI workflow - INT-06: Replace production console.log with structured logger 2026-02-22 17:40:07 +00:00
ci: fix duplicate env block in staging-validation workflow Merge SSL env vars into existing env block instead of creating a duplicate (YAML doesn't allow duplicate top-level keys). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-09 12:51:10 +00:00			`- name: Run Trivy vulnerability scanner`
			`if: steps.check.outputs.exists == 'true'`
			`uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0`
			`with:`
			`image-ref: "veza-frontend:scan"`
			`format: "table"`
			`exit-code: "1"`
			`severity: "CRITICAL,HIGH"`
			`ignore-unfixed: true`