trivy scan fs and image (#17)

.github/workflows/trivy.yaml

@@ -0,0 +1,113 @@
+name: Trivy
+
+on:
+  schedule:
+    - cron: '0 10 * * *'
+
+jobs:
+  list-branches-to-scan:
+    runs-on: ubuntu-latest
+    outputs:
+      branches: ${{ steps.branches.outputs.branches }}
+    steps:
+      - name: Checking out repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: List branches to scan
+        id: branches
+        run: |
+          # regex matches branches like
+          #  origin/1.28
+          #  origin/v1.1
+          #  origin/release-1.30
+          #  origin/master
+          #  origin/main
+          BRANCHES=$(git branch -r | grep  -E '^  origin\/(((v|release-)?[0-9]+.[0-9]+)|main)$' | \
+            sed -e 's#^  origin/##'  | jq -R -s -c 'split("\n")[:-1]')
+          echo "branches=$(echo $BRANCHES)" >> $GITHUB_OUTPUT
+  scan-fs:
+    runs-on: ubuntu-latest
+    needs: list-branches-to-scan
+    strategy:
+      matrix:
+        branch: ${{ fromJson(needs.list-branches-to-scan.outputs.branches) }}
+    permissions:
+      security-events: write
+    steps:
+      - name: Checking out repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ matrix.branch }}
+          fetch-depth: 0
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: "fs"
+          ignore-unfixed: true
+          format: "sarif"
+          output: "output.sarif"
+          severity: "MEDIUM,HIGH,CRITICAL"
+        env:
+          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
+      - name: Get commit sha
+        run: |
+          SHA="$(git rev-parse HEAD)"
+          echo "head_sha=$SHA" >> "$GITHUB_ENV"
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "output.sarif"
+          sha: ${{ env.head_sha }}
+          ref: refs/heads/${{ matrix.branch }}
+  scan-container:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/github-script@v7
+        id: read-tag
+        with:
+          script: |
+            let package_type = "container"
+            let org = context.repo.owner
+            let package_name = context.repo.repo
+            const { data: packages } = await github.request('GET /orgs/{org}/packages/{package_type}/{package_name}/versions', {
+              package_type: package_type,
+              package_name: package_name,
+              org: org,
+              headers: {
+                'X-GitHub-Api-Version': '2022-11-28'
+              }
+            })            
+            return {
+                  git_tag: packages[0].metadata.container.tags[0].split("-")[0],
+                  container_tag: packages[0].metadata.container.tags[0]
+            }
+      - name: Checking out repo
+        uses: actions/checkout@v4
+        with:
+          ref: "rawfile-csi-${{ fromJson(steps.read-tag.outputs.result).git_tag }}"
+          fetch-depth: 0
+      - name: Get commit sha
+        run: |
+          SHA="$(git rev-parse HEAD)"
+          echo "head_sha=$SHA" >> "$GITHUB_ENV"
+
+      - name: Run Trivy vulnerability scanner in image mode
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: "ghcr.io/${{ github.repository }}:${{ fromJson(steps.read-tag.outputs.result).container_tag }}"
+          ignore-unfixed: true
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: "output.sarif"
+          severity: "MEDIUM,HIGH,CRITICAL"
+        env:
+          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "output.sarif"
+          ref: refs/tags/rawfile-csi-${{ fromJson(steps.read-tag.outputs.result).git_tag }}
+          sha: ${{ env.head_sha }}