thijsvanloef · thijsvanloef · Feb 14, 2024 · Feb 14, 2024 · Feb 14, 2024 · Feb 14, 2024
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,6 +1,6 @@
 ---
 name: Release
-on: # yamllint disable-line rule:truthy
+on:  # yamllint disable-line rule:truthy
   release:
     types: [published]
 

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,41 @@
+---
+name: Security
+
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    name: Container - Scan
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and export to Docker
+        uses: docker/build-push-action@v5
+        with:
+          tags: local/palworld-server-docker:security
+          push: false
+          load: true
+
+      - name: Scan for vulnerabilities
+        id: scan
+        uses: anchore/scan-action@v3
+        with:
+          image: "local/palworld-server-docker:security"
+          fail-build: false
+          only-fixed: true
+
+      - name: Inspect action SARIF report
+        run: cat ${{ steps.scan.outputs.sarif }}
+
+      - name: upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}