From 1f59c01d40d768bf1639f191e1b04c512cf37ff1 Mon Sep 17 00:00:00 2001
From: Nico Koprowski <nico.koprowski@abat.de>
Date: Wed, 29 May 2024 13:27:18 +0800
Subject: [PATCH] cicd: add trivy check on pull request code contribution

---
 .github/workflows/app-test-trivy-all.yaml | 47 +++++++++++++++++
 .github/workflows/app-test-trivy.yaml     | 62 +++++++++++++++++++++++
 2 files changed, 109 insertions(+)
 create mode 100644 .github/workflows/app-test-trivy-all.yaml
 create mode 100644 .github/workflows/app-test-trivy.yaml

diff --git a/.github/workflows/app-test-trivy-all.yaml b/.github/workflows/app-test-trivy-all.yaml
new file mode 100644
index 000000000..d40cb4399
--- /dev/null
+++ b/.github/workflows/app-test-trivy-all.yaml
@@ -0,0 +1,47 @@
+################################################################################
+# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+################################################################################
+
+name: 'Perform Trivy Scan on All Apps'
+on:
+  workflow_dispatch:
+  workflow_call:
+  pull_request:
+    branches:
+      - main
+      - 'release/**'
+jobs:
+  scan-pool:
+    uses: ./.github/workflows/app-test-trivy.yaml
+    with:
+      app: pool
+
+  scan-gate:
+    uses: ./.github/workflows/app-test-trivy.yaml
+    with:
+      app: gate
+
+  scan-orchestrator:
+    uses: ./.github/workflows/app-test-trivy.yaml
+    with:
+      app: orchestrator
+
+  scan-cleaning-service-dummy:
+    uses: ./.github/workflows/app-test-trivy.yaml
+    with:
+      app: cleaning-service-dummy
diff --git a/.github/workflows/app-test-trivy.yaml b/.github/workflows/app-test-trivy.yaml
new file mode 100644
index 000000000..95ad097f4
--- /dev/null
+++ b/.github/workflows/app-test-trivy.yaml
@@ -0,0 +1,62 @@
+################################################################################
+# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+################################################################################
+
+name: Perform Trivy Scan on App
+on:
+  workflow_dispatch:
+    inputs:
+      app:
+        description: 'The name of the BPDM app to scan'
+        type: choice
+        required: true
+        options:
+          - pool
+          - gate
+          - orchestrator
+          - cleaning-service-dummy
+  workflow_call:
+    inputs:
+      app:
+        description: 'The name of the BPDM app to scan'
+        type: string
+        required: true
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build App Image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: docker/${{ inputs.app }}/Dockerfile
+          tags: bpdm-${{ inputs.app }}:test
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.18.0
+        with:
+          image-ref: "bpdm-${{ inputs.app }}:test"
+          exit-code: "1"
+          severity: "CRITICAL,HIGH"
+          timeout: 15m
\ No newline at end of file