From c7e37fb5e020e80afedb96f4384fc6b78c9794c4 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 5 Apr 2024 12:40:42 +0100
Subject: [PATCH] Only scan published images

---
 .github/workflows/_docker-build-deploy.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/_docker-build-deploy.yml b/.github/workflows/_docker-build-deploy.yml
index dfe28ad..7cd9297 100644
--- a/.github/workflows/_docker-build-deploy.yml
+++ b/.github/workflows/_docker-build-deploy.yml
@@ -101,6 +101,7 @@ jobs:
         tags: ${{ env.IMAGE_ID }}:latest
         provenance: false
     - name: Scan for vulnerabilities
+      if: inputs.publish
       uses: aquasecurity/trivy-action@master
       with:
         image-ref: ${{ env.IMAGE_ID }}:${{ env.TAG }}
@@ -109,7 +110,7 @@ jobs:
         ignore-unfixed: true
         severity: 'CRITICAL,HIGH,MEDIUM'
     - name: Upload Trivy scan results to GitHub Security tab
-      if: always()
+      if: inputs.publish
       uses: github/codeql-action/upload-sarif@v2
       with:
         sarif_file: 'trivy-results.sarif'