From f7098a3a496790412fe1d3d3a7b9d1bde90e2ee4 Mon Sep 17 00:00:00 2001
From: admin <admin@ardentleatherworks.com>
Date: Thu, 18 Dec 2025 13:39:07 -0600
Subject: [PATCH] fix(ci): use filesystem scan instead of image scan for Trivy

---
 .github/workflows/trivy.yml | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 9f0dcdc71e..449e322476 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -1,5 +1,6 @@
-# Trivy vulnerability scanner for container images
-# Scans Docker images for CVEs and uploads results to GitHub Security tab
+# Trivy vulnerability scanner
+# Scans for CVEs in filesystem/dependencies and uploads to GitHub Security tab
+# Note: Image scanning requires built artifacts, use release workflow for that
 
 name: Trivy Security Scan
 
@@ -23,13 +24,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Build Docker image
-        run: docker build -t ghcr.io/cheir-mneme/aletheia:${{ github.sha }} -f docker/Dockerfile .
-
-      - name: Run Trivy vulnerability scanner
+      - name: Run Trivy filesystem scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: 'ghcr.io/cheir-mneme/aletheia:${{ github.sha }}'
+          scan-type: 'fs'
+          scan-ref: '.'
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'