Add input to the Trivy workflow in

<org>/actions/.github/workflows/reusable-trivy.yml

• Add these inputs lines under the workflow_call: event

on:
  workflow_call:
    inputs:
      image:
        description: Image to scan
        required: true
        type: string

• Then pass that value to the trivy action step at bottom

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.11.2
        with:
          image-ref: ${{ inputs.image }}

Add input to the wordsmith-web workflow PR

<org>/wordsmith-web/.github/workflows/call-trivy.yml

1. Change the <org> to yours

jobs:
  scan:
    name: Scan
    uses: <org>/actions/.github/workflows/reusable-trivy.yml@<pr-branch-name>
    with:
      image: 'ghcr.io/<org>/wordsmith-web:latest'

2. Commit that and watch the Action run in the wordsmith-web repo

3. We now have a working reusable workflow

But we’re only scanning latest

A CVE scan is more valuable if it’s scanning each PR commit

1. We’ll need to ensure our Docker Build creates a unique image tag for each PR commit

2. Also, we’ll need to wait for Docker Build to finish before trying to scan

• We’ll enhance the Docker Build in today’s Homework!