name: Security scan of Docker image
on:
  push:
    branches: [master]
    paths-ignore:
      - .github/workflows/buildx-release.yml
      - .github/workflows/dockerhub-description.yml
      - .github/workflows/greetings.yml
      - .github/workflows/labels.yml
      - .github/workflows/misspell.yml
      - .github/workflows/security.yml
      - .dockerignore
      - .gitignore
      - docker-compose.yml
      - LICENSE
      - README.md
      - title.svg
  schedule:
    - cron: '0 9 * * *'
jobs:
  security-analysis:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Check for scratch
        id: scratchCheck
        run: echo ::set-output name=scratch::$(cat Dockerfile | grep 'FROM scratch')
      - name: Build image
        if: steps.scratchCheck.outputs.scratch == ''
        run: docker build -t image .
      - name: Phonito
        if: steps.scratchCheck.outputs.scratch == ''
        uses: phonito/phonito-scanner-action@master
        with:
          image: image
          fail-level: LOW
          phonito-token: ${{ secrets.PHONITO_TOKEN }}
      - name: Trivy
        if: steps.scratchCheck.outputs.scratch == ''
        uses: homoluctus/gitrivy@v1.0.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          image: image