From 3ddfd52bbb2408b359b762bcdaf3bb82dbe3986f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mathias=20R=C3=BChle?= <math2306@hotmail.com>
Date: Thu, 30 Mar 2023 02:52:14 +0200
Subject: [PATCH] Scan All Configured Docker Images

---
 .github/workflows/ci.yml | 66 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7867704..c2e4f82 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -59,3 +59,69 @@ jobs:
       run: |
         ACCESS_TOKEN="$(feasibility-triangle/get-fhir-server-access-token.sh)"
         .github/scripts/test-consent-queries.sh https://fhir.localhost:444/fhir "$ACCESS_TOKEN" feasibility-triangle/auth/cert.pem
+
+  prepare-security-scan:
+    runs-on: ubuntu-latest
+    outputs:
+      images: ${{ steps.matrixgen.outputs.images }}
+    steps:
+
+      - uses: actions/checkout@v4
+
+      - name: Generate Image Test Matrix
+        id: matrixgen
+        run: |
+          echo "images=$(
+            first=true
+            echo -n '['
+            for i in $(grep -r --include="*docker-compose.yml" -Pho 'image: \K(.+)$' | tr -d "\"'" | sort | uniq)
+            do
+              if $first
+              then
+                first=false
+              else
+                echo -n ","
+              fi
+              echo -n '"'$i'"'
+            done
+            echo ']')" >> "$GITHUB_OUTPUT"
+
+  security-scan:
+    runs-on: ubuntu-latest
+    needs: prepare-security-scan
+    strategy:
+      fail-fast: false
+      matrix:
+        image: ${{ fromJSON(needs.prepare-security-scan.outputs.images) }}
+    steps:
+      - name: Run Trivy Vulnerability Scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ matrix.image }}
+          exit-code: 1
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+          timeout: '15m0s'
+
+  security-scan-upload:
+    runs-on: ubuntu-latest
+    needs: prepare-security-scan
+    strategy:
+      fail-fast: false
+      matrix:
+        image: ${{ fromJSON(needs.prepare-security-scan.outputs.images) }}
+    steps:
+      - name: Run Trivy Vulnerability Scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ matrix.image }}
+          format: sarif
+          ignore-unfixed: true
+          output: trivy-results.sarif
+          severity: 'CRITICAL,HIGH'
+          timeout: '15m0s'
+
+      - name: Upload Trivy Scan Results to GitHub Security Tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: trivy-results.sarif