(feat) add container scanning to PR's

.github/workflows/test-build.yml

@@ -1,5 +1,6 @@
 name: Test & Build
 on: push
+
 jobs:
   test:
     name: Test
@@ -34,12 +35,54 @@ jobs:
       - name: Test
         run: go test ./...
 
+  scan-container:
+    name: Scan Container
+    runs-on: depot-ubuntu-24.04
+      # this is for container scanning with aws inspector
+    permissions:
+      id-token: write   # This is required for requesting the JWT
+      contents: read    # This is required for actions/checkout@v2
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # also fetch tags and branches for `git describe`
+
+      - uses: depot/setup-action@v1
+
+      - name: Build Docker image
+        uses: depot/build-push-action@v1
+        with:
+          project: xnsnw3m20t
+          context: .
+          file: "build/package/Dockerfile"
+          push: false
+          tags: app:latest
+          load: true
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: "eu-west-2"
+          role-to-assume: "${{ secrets.AWS_INSPECTOR_ROLE }}"
+
+      - name: Invoke Amazon Inspector Scan
+        id: inspector
+        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@main
+        with:
+          artifact_type: 'container'
+          artifact_path: 'app:latest'
+          display_vulnerability_findings: "enabled"
+          sbomgen_version: "latest"
+
   build:
     name: Build
     runs-on: ubuntu-latest
     if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
     needs:
       - test
+      - scan-container
     permissions:
       contents: read # required for checkout
       id-token: write # mint AWS credentials through OIDC