From d52fea563cee2e4bbaaa066800e3e60249830683 Mon Sep 17 00:00:00 2001
From: Aleksandr Pasevin <pasevin@gmail.com>
Date: Thu, 28 May 2026 10:05:28 +0300
Subject: [PATCH] ci: enable Anchore Docker image scanning in prod and staging
 workflows

Uncomment the scanning build, Anchore scan, and SARIF upload steps now
that the repo is public and CodeQL is set up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/docker-prod.yaml | 50 ++++++++++++++---------------
 .github/workflows/docker-stg.yaml  | 51 +++++++++++++++---------------
 2 files changed, 49 insertions(+), 52 deletions(-)

diff --git a/.github/workflows/docker-prod.yaml b/.github/workflows/docker-prod.yaml
index 0afde40..1c50cc3 100644
--- a/.github/workflows/docker-prod.yaml
+++ b/.github/workflows/docker-prod.yaml
@@ -65,32 +65,30 @@ jobs:
       - name: Login to Amazon ECR
         uses: aws-actions/amazon-ecr-login@19d944daaa35f0fa1d3f7f8af1d3f2e5de25c5b7 # v2.1.4
 
-      # - name: Build Docker image for scanning
-      #   uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v6.10.0
-      #   with:
-      #     context: .
-      #     platforms: linux/amd64
-      #     tags: |
-      #       ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
-      #     cache-from: type=gha
-      #     cache-to: type=gha,mode=max
-      #     load: true
-      #     build-args: |
-      #       VITE_EXPORT_ENV=production
-
-      # uncomment after making repo public and adding codeql
-      # - name: Scan Docker image with Anchore
-      #   uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
-      #   id: scan
-      #   with:
-      #     image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
-      #     fail-build: false
-
-
-      # - name: Upload Anchore scan SARIF report
-      #   uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
-      #   with:
-      #     sarif_file: ${{ steps.scan.outputs.sarif }}
+      - name: Build Docker image for scanning
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v6.10.0
+        with:
+          context: .
+          platforms: linux/amd64
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          load: true
+          build-args: |
+            VITE_EXPORT_ENV=production
+
+      - name: Scan Docker image with Anchore
+        uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
+        id: scan
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          fail-build: false
+
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
 
       - name: Build and push multi-platform Docker image
         uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v6.10.0
diff --git a/.github/workflows/docker-stg.yaml b/.github/workflows/docker-stg.yaml
index aa0f260..1beaf6a 100644
--- a/.github/workflows/docker-stg.yaml
+++ b/.github/workflows/docker-stg.yaml
@@ -173,32 +173,31 @@ jobs:
       - name: Login to Amazon ECR
         uses: aws-actions/amazon-ecr-login@19d944daaa35f0fa1d3f7f8af1d3f2e5de25c5b7 # v2.1.4
 
-      # - name: Build Docker image for scanning
-      #   uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v6.10.0
-      #   with:
-      #     context: .
-      #     platforms: linux/amd64
-      #     tags: |
-      #       ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
-      #     cache-from: type=gha
-      #     cache-to: type=gha,mode=max
-      #     load: true
-          # build-args: |
-          #   VITE_APP_CFG_FEATURE_FLAG_ANALYTICS_ENABLED=false
-          #   VITE_GA_TAG_ID=${{ secrets.VITE_GA_TAG_ID_STAGING }}
-
-      # Uncomment after making repo public and adding codeql
-      # - name: Scan Docker image with Anchore
-      #   uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
-      #   id: scan
-      #   with:
-      #     image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
-      #     fail-build: false
-
-      # - name: Upload Anchore scan SARIF report
-      #   uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
-      #   with:
-      #     sarif_file: ${{ steps.scan.outputs.sarif }}
+      - name: Build Docker image for scanning
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v6.10.0
+        with:
+          context: .
+          platforms: linux/amd64
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          load: true
+          build-args: |
+            VITE_APP_CFG_FEATURE_FLAG_ANALYTICS_ENABLED=false
+            VITE_GA_TAG_ID=${{ secrets.VITE_GA_TAG_ID_STAGING }}
+
+      - name: Scan Docker image with Anchore
+        uses: anchore/scan-action@64a33b277ea7a1215a3c142735a1091341939ff5 # v4.1.2
+        id: scan
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          fail-build: false
+
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
 
       - name: Build and push multi-platform Docker image
         uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v6.10.0