name: Trivy Scan Image
description: Scan a container image with Trivy
inputs:
  IMAGE_PATH:
    description: "The registry path to the image to scan"
    required: true
  IMAGE_TAG:
    description: "The image tag to scan"
    required: true
  FAIL_HARD:
    description: "Boolean: true will fail the build if vulnerabilities are found, false will not"
    required: false
    default: 'false'

runs:
  using: composite
  steps:
    - name: Scan Container Registry Image
      shell: sh
      run: |
        trivy image ${{ inputs.IMAGE_PATH }}:${{ inputs.IMAGE_TAG }} --report=all --exit-code=${{ contains(fromJSON('["true"]'), inputs.FAIL_HARD) && '1' || '0' }} --severity CRITICAL,HIGH