ci(docker): add Grype CVE scanning after image push

Scans published image for Alpine and dependency CVEs. Fails on critical severity, reports all others in table output.
2026-06-01 21:32:20 -04:00
parent 50eb43971c
commit 3a169b2bcd
1 changed files with 5 additions and 0 deletions
@@ -60,6 +60,11 @@ jobs:
            COMMIT=${{ github.sha }}
            BUILD_DATE=${{ github.event.head_commit.timestamp }}

+      - name: Scan image for CVEs
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
+          grype lerkolabs/uptop:${{ steps.meta.outputs.tag }} --fail-on critical --output table
+
      - name: Update Docker Hub description
        uses: peter-evans/dockerhub-description@v4
        with: