name: Docker Scan

on:
  workflow_dispatch:
    inputs:
      trigger-scan:
        description: 'Trigger a manual scan'
        required: true
        default: 'true'

env:
  DOCKER_IMAGE: donaldzou/wgdashboard

jobs:
  docker_scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          registry: docker.io
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_PASSWORD }}

      - name: Docker Scout CVEs
        uses: docker/scout-action@v1
        with:
          command: cves
          image: ${{ env.DOCKER_IMAGE }}:nightly
          only-severities: critical,high
          only-fixed: true
          write-comment: true
          github-token: ${{ secrets.GITHUB_TOKEN }}
          exit-code: true