From 19c362d0f3382d260c2d0df42c51702522da8720 Mon Sep 17 00:00:00 2001
From: omri zaher <omriza5@gmail.com>
Date: Thu, 25 Sep 2025 14:34:20 +0300
Subject: [PATCH] Add Trivy vulnerability scanning to CI workflow

---
 .github/workflows/e2e-testing.yml | 37 +++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/.github/workflows/e2e-testing.yml b/.github/workflows/e2e-testing.yml
index 10e7c72c0..90d01477b 100644
--- a/.github/workflows/e2e-testing.yml
+++ b/.github/workflows/e2e-testing.yml
@@ -34,6 +34,21 @@ jobs:
           # Save the tag for later steps
           echo "WEKAN_IMAGE_TAG=$TAG" >> $GITHUB_ENV
 
+      - name: Install Trivy
+          run: |
+            sudo apt-get update
+            sudo apt-get install -y wget
+            wget https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.50.0_Linux-64bit.deb
+            sudo dpkg -i trivy_0.50.0_Linux-64bit.deb
+
+      - name: Scan Wekan Docker image for vulnerabilities
+          env:
+            WEKAN_IMAGE_TAG: ${{ env.WEKAN_IMAGE_TAG }}
+            DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          run: |
+            docker pull $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG
+            trivy image $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG || true
+
       - name: Create .env file
         run: |
           echo "WEKAN_IMAGE=omriza5/wekan:${WEKAN_IMAGE_TAG}" >> .env
@@ -83,6 +98,28 @@ jobs:
             sudo docker compose pull
             sudo docker compose up -d
 
+    security-scan:
+    needs: deploy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Trivy
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y wget
+          wget https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.50.0_Linux-64bit.deb
+          sudo dpkg -i trivy_0.50.0_Linux-64bit.deb
+
+      - name: Scan Wekan Docker image for vulnerabilities
+        env:
+          WEKAN_IMAGE_TAG: ${{ needs.deploy.outputs.wekan_image_tag }}
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+        run: |
+          docker pull $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG
+          trivy image $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG || true
+
   API-tests:
     needs: deploy
     runs-on: ubuntu-latest