.github/workflows/trivy.yml

---
name: Trivy Scan
on:
  workflow_dispatch:
  workflow_call:
  push:
    branches:
      - main
      - prod
    tags:
      - v1.*

permissions:
  contents: read

jobs:
  trivy:
    permissions:
      contents: read
      security-events: write
      actions: read
    env:
      DOCKER_NAME: fac
      WORKING_DIRECTORY: ./backend
    name: Trivy Scan FAC Web Container
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Get Date
        shell: bash
        id: date
        run: |
          echo "date=$(date +%Y%m%d%H%M%S)" >> $GITHUB_OUTPUT

      - name: Build Container
        working-directory: ${{ env.WORKING_DIRECTORY }}
        run: docker build -t ${{ env.DOCKER_NAME }}:${{ steps.date.outputs.date }} .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.23.0
        with:
          image-ref: '${{ env.DOCKER_NAME }}:${{ steps.date.outputs.date }}'
          scan-type: 'image'
          hide-progress: false
          format: 'sarif'
          output: 'trivy-results.sarif'
          exit-code: 0 # Setting the exit-code to 1 will fail the action, without publishing to Github Security Tab (> aquasecurity/trivy-action@0.13.1)
          severity: 'CRITICAL,HIGH'
          timeout: 15m0s
          ignore-unfixed: true

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

  scan-third-party:
    permissions:
      contents: read
      security-events: write
      actions: read
    name: Trivy Scan Third Party Images
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        image:
          - name: ghcr.io/gsa-tts/fac/postgrest:latest
          - name: ghcr.io/gsa-tts/fac/clamav:latest
    steps:
      - name: Pull Third Party Docker Images
        run: docker pull ${{ matrix.image.name }}

      - name: Run Trivy vulnerability scanner on Third Party Images
        uses: aquasecurity/trivy-action@0.23.0
        with:
          image-ref: '${{ matrix.image.name }}'
          scan-type: 'image'
          hide-progress: false
          format: 'sarif'
          output: 'trivy-results.sarif'
          exit-code: 0 # Setting the exit-code to 1 will fail the action, without publishing to Github Security Tab (> aquasecurity/trivy-action@0.13.1)
          severity: 'CRITICAL,HIGH'
          timeout: 15m0s
          ignore-unfixed: true

      - name: Upload Trivy scan results to GitHub Security tab for Third Party Images
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'