From 449a403c7328e850c68a47822f67b0e4de5aed5d Mon Sep 17 00:00:00 2001
From: Yuhong Sun <yuhongsun96@gmail.com>
Date: Tue, 26 Dec 2023 14:41:23 -0800
Subject: [PATCH] Automatic Security Scan (#886)

---
 .../docker-build-push-backend-container-on-tag.yml          | 6 ++++++
 .../docker-build-push-model-server-container-on-tag.yml     | 6 ++++++
 .../workflows/docker-build-push-web-container-on-tag.yml    | 6 ++++++
 3 files changed, 18 insertions(+)

diff --git a/.github/workflows/docker-build-push-backend-container-on-tag.yml b/.github/workflows/docker-build-push-backend-container-on-tag.yml
index 57c7d370b..e95c143fb 100644
--- a/.github/workflows/docker-build-push-backend-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-backend-container-on-tag.yml
@@ -34,3 +34,9 @@ jobs:
           danswer/danswer-backend:latest
         build-args: |
           DANSWER_VERSION=${{ github.ref_name }}
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: docker.io/danswer/danswer-backend:${{ github.ref_name }}
+        severity: 'CRITICAL,HIGH'
diff --git a/.github/workflows/docker-build-push-model-server-container-on-tag.yml b/.github/workflows/docker-build-push-model-server-container-on-tag.yml
index c38a5c3f0..ddc5f5a28 100644
--- a/.github/workflows/docker-build-push-model-server-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-model-server-container-on-tag.yml
@@ -34,3 +34,9 @@ jobs:
           danswer/danswer-model-server:latest
         build-args: |
           DANSWER_VERSION=${{ github.ref_name }}
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: docker.io/danswer/danswer-model-server:${{ github.ref_name }}
+        severity: 'CRITICAL,HIGH'
diff --git a/.github/workflows/docker-build-push-web-container-on-tag.yml b/.github/workflows/docker-build-push-web-container-on-tag.yml
index d64d768a1..d848fc189 100644
--- a/.github/workflows/docker-build-push-web-container-on-tag.yml
+++ b/.github/workflows/docker-build-push-web-container-on-tag.yml
@@ -34,3 +34,9 @@ jobs:
           danswer/danswer-web-server:latest
         build-args: |
           DANSWER_VERSION=${{ github.ref_name }}
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: docker.io/danswer/danswer-web-server:${{ github.ref_name }}
+        severity: 'CRITICAL,HIGH'