From 93ba03f6199218d70f03429a3521e48046683038 Mon Sep 17 00:00:00 2001
From: Clemens Hering <clemens.hering@valtrix.systems>
Date: Sat, 15 Nov 2025 08:22:15 +0100
Subject: [PATCH] Added pipeline image scan

---
 .gitea/workflows/image-scan.yaml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 .gitea/workflows/image-scan.yaml

diff --git a/.gitea/workflows/image-scan.yaml b/.gitea/workflows/image-scan.yaml
new file mode 100644
index 0000000..e545228
--- /dev/null
+++ b/.gitea/workflows/image-scan.yaml
@@ -0,0 +1,30 @@
+name: Scan Image for CVEs
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+
+env: # global: unkritische, strukturgebende Variablen
+  TARGET_HOST: host.containers.internal
+  TARGET_USER: traefik
+  CONTAINER_NAME: localhost/valtrix-website
+
+jobs:
+  build_and_deploy:
+    runs-on: ubuntu-latest
+    env: # Job-spezifisch: Secrets und sensible Werte
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
+
+    steps:
+      - name: Build container on target host
+        shell: bash
+        run: |
+          ssh -i ~/.ssh/id_ed25519 $TARGET_USER@$TARGET_HOST "
+            set -euo pipefail
+            export CONTAINER_NAME='$CONTAINER_NAME'
+            echo 'Start Trivy Scan: '\$CONTAINER_NAME '
+            trivy image \$CONTAINER_NAME:latest
+          "
\ No newline at end of file