name: Security Scan

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

permissions:
  pull-requests: write

jobs:
  scout:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: docker/setup-buildx-action@v3

      - uses: docker/build-push-action@v5
        with:
          context: .
          push: false
          load: true
          tags: trek:scan

      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - uses: docker/scout-action@v1
        with:
          command: cves
          image: trek:scan
          only-severities: critical,high
          only-fixed: true
          exit-code: true