From 3a169b2bcdf166bca00884fc829f6d50fe2f269e Mon Sep 17 00:00:00 2001
From: Tyler Koenig <tyler@lerkolabs.com>
Date: Mon, 1 Jun 2026 21:32:20 -0400
Subject: [PATCH] ci(docker): add Grype CVE scanning after image push

Scans published image for Alpine and dependency CVEs.
Fails on critical severity, reports all others in table output.
---
 .gitea/workflows/release-docker.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.gitea/workflows/release-docker.yml b/.gitea/workflows/release-docker.yml
index 9523a71..5282a94 100644
--- a/.gitea/workflows/release-docker.yml
+++ b/.gitea/workflows/release-docker.yml
@@ -60,6 +60,11 @@ jobs:
             COMMIT=${{ github.sha }}
             BUILD_DATE=${{ github.event.head_commit.timestamp }}
 
+      - name: Scan image for CVEs
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+          grype lerkolabs/uptop:${{ steps.meta.outputs.tag }} --fail-on critical --output table
+
       - name: Update Docker Hub description
         uses: peter-evans/dockerhub-description@v4
         with: