feat: add Dockerfile and GitHub Actions workflow for Docker build and Trivy scan

milsman2 · milsman2 · commit 2db6f30a195a · 2026-02-04T17:03:45.000-06:00
diff --git a/.github/workflows/docker-build-and-scan.yaml b/.github/workflows/docker-build-and-scan.yaml
@@ -0,0 +1,37 @@
+name: Docker Build and Trivy Scan
+
+on:
+  push:
+    branches:
+      - '**'
+
+jobs:
+  build-and-scan:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_CONTEXT: '.'
+      DOCKERFILE: 'Dockerfile'
+      DOCKER_LOAD: 'true'
+      TAGS: 'sample-python-app:${{ github.sha }}'
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3.12.0
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.7.0
+      - name: Build Docker Image
+        id: build-image
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ env.DOCKER_CONTEXT }}
+          file: ${{ env.DOCKERFILE }}
+          load: ${{ env.DOCKER_LOAD }}
+          tags: ${{ env.TAGS }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: ${{ steps.build-image.outputs.digest }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,39 @@
+FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim AS builder
+ENV UV_COMPILE_BYTECODE=1 UV_LINK_MODE=copy
+
+ENV UV_NO_DEV=1
+
+ENV UV_PYTHON_DOWNLOADS=0
+
+WORKDIR /app
+RUN --mount=type=cache,target=/root/.cache/uv \
+    --mount=type=bind,source=uv.lock,target=uv.lock \
+    --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
+    uv sync --locked --no-install-project
+COPY . /app
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv sync --locked
+
+FROM python:3.13-slim-bookworm
+
+RUN apt-get update \
+    && apt-get upgrade -y \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN groupadd --system --gid 999 nonroot \
+ && useradd --system --gid 999 --uid 999 --create-home nonroot
+
+COPY --from=builder --chown=nonroot:nonroot /app /app
+
+ENV PATH="/app/.venv/bin:$PATH"
+
+USER nonroot
+
+WORKDIR /app
+
+USER nonroot
+
+WORKDIR /app
+
+CMD ["python", "-m","sample_python_app.main"]
