.github/workflows/cve-scan-pr.yml

name: HMDA PR CVE Scan

on:
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  pull-requests: write

jobs:
  hmda-platform-cve-scan:
    runs-on: ubuntu-latest

    steps:
      - name: Check out repo
        uses: actions/checkout@v4

      - name: Setup sbt launcher
        uses: sbt/setup-sbt@v1

      - name: Build Docker image of HMDA platform
        run: |
          env JAVA_OPTS="-Xss256m -Xmx4096m" sbt "project hmda-platform" dockerPublishLocalSkipTests

      - name: Tag and name Docker image
        run: docker tag hmda/hmda-platform:latest pr-cve-scan:latest

      - name: Scan image
        uses: anchore/scan-action@v6
        with:
          image: pr-cve-scan:latest
          output-file: grype-report.txt
          fail-build: false
          severity-cutoff: high
          output-format: table

      - name: Upload Grype report to artifact
        uses: actions/upload-artifact@v4
        with:
          name: cve-report
          path: |
            grype-report.txt