Checkmarx · cx-anurag-dalke · Mar 4, 2026 · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026
@@ -23,3 +23,17 @@ jobs:
           cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
           cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
           additional_params: --tags sypher --threshold "sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1"
+  notify:
+    needs: cx-scan
+    uses: Checkmarx/plugins-release-workflow/.github/workflows/cxone-scan-teams-notify.yml@38cf7ab29e5021bb817ac38bdae3ac0fb210608c
+    if: always()
+    with:
+      cx_result: ${{ needs.cx-scan.result }}
+      repository: ${{ github.repository }}
+      ref_name: ${{ github.ref_name }}
+      actor: ${{ github.actor }}
+      event_name: ${{ github.event_name }}
+      run_id: ${{ github.run_id }}
+      server_url: ${{ github.server_url }}
+    secrets:
+      teams_webhook_url: ${{ secrets.CXONE_SCAN_WEBHOOK_URL }}  
@@ -2,6 +2,9 @@ name: Continuous Integration Tests
 
 on:
   pull_request:
+  push:
+    branches:
+      - other/scan-notification
 
 jobs:
   unit-tests:

@@ -0,0 +1,53 @@
+name: Docker Image Security Scan
+
+on:
+  push:
+    branches:
+      - other/scan-notification
+
+jobs:
+  checkDockerImage:
+    name: Scan Docker Image with Trivy
+    # if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@722adc63f1aa60a57ec37892e133b1d319cae598
+
+      - name: Set up Go
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9
+        with:
+          go-version-file: go.mod
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@cf09c5c41b299b55c366aff30022701412eb6ab0
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build the project
+        run: go build -o ./cx ./cmd
+
+      - name: Build Docker image
+        run: docker build -t ast-cli:${{ github.event.workflow_run.head_sha }} .
+
+      - name: Run Trivy scan
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
+        with:
+          scan-type: image
+          image-ref: ast-cli:${{ github.event.workflow_run.head_sha }}
+          format: table
+          exit-code: 1
+          ignore-unfixed: true
+          vuln-type: os,library
+          output: trivy-image-results.txt
+        env:
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
+
+      - name: Show scan results
+        if: always()
+        run: cat trivy-image-results.txt