From 86493a3c4800292139132ba9f14657d76a75f5fe Mon Sep 17 00:00:00 2001
From: Nico Koprowski <nico.koprowski@abat.de>
Date: Fri, 22 Nov 2024 17:41:52 +0800
Subject: [PATCH] cicd(trivy): build local images for scheduled trivy checks

- update trivy to 0.29.0 to avoid rate limit issues
---
 .github/workflows/app-test-trivy-all.yaml |  47 -------
 .github/workflows/app-test-trivy.yaml     |  36 ++---
 .github/workflows/trivy.yml               | 158 +++-------------------
 3 files changed, 34 insertions(+), 207 deletions(-)
 delete mode 100644 .github/workflows/app-test-trivy-all.yaml

diff --git a/.github/workflows/app-test-trivy-all.yaml b/.github/workflows/app-test-trivy-all.yaml
deleted file mode 100644
index d40cb4399..000000000
--- a/.github/workflows/app-test-trivy-all.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-################################################################################
-# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation
-#
-# See the NOTICE file(s) distributed with this work for additional
-# information regarding copyright ownership.
-#
-# This program and the accompanying materials are made available under the
-# terms of the Apache License, Version 2.0 which is available at
-# https://www.apache.org/licenses/LICENSE-2.0.
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-################################################################################
-
-name: 'Perform Trivy Scan on All Apps'
-on:
-  workflow_dispatch:
-  workflow_call:
-  pull_request:
-    branches:
-      - main
-      - 'release/**'
-jobs:
-  scan-pool:
-    uses: ./.github/workflows/app-test-trivy.yaml
-    with:
-      app: pool
-
-  scan-gate:
-    uses: ./.github/workflows/app-test-trivy.yaml
-    with:
-      app: gate
-
-  scan-orchestrator:
-    uses: ./.github/workflows/app-test-trivy.yaml
-    with:
-      app: orchestrator
-
-  scan-cleaning-service-dummy:
-    uses: ./.github/workflows/app-test-trivy.yaml
-    with:
-      app: cleaning-service-dummy
diff --git a/.github/workflows/app-test-trivy.yaml b/.github/workflows/app-test-trivy.yaml
index dd85db79c..b03b88299 100644
--- a/.github/workflows/app-test-trivy.yaml
+++ b/.github/workflows/app-test-trivy.yaml
@@ -17,28 +17,20 @@
 # SPDX-License-Identifier: Apache-2.0
 ################################################################################
 
-name: Perform Trivy Scan on App
+name: 'Perform Trivy Scan on All Apps'
 on:
   workflow_dispatch:
-    inputs:
-      app:
-        description: 'The name of the BPDM app to scan'
-        type: choice
-        required: true
-        options:
-          - pool
-          - gate
-          - orchestrator
-          - cleaning-service-dummy
   workflow_call:
-    inputs:
-      app:
-        description: 'The name of the BPDM app to scan'
-        type: string
-        required: true
+  pull_request:
+    branches:
+      - main
+      - 'release/**'
 jobs:
-  scan:
+  scan-image:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        app: [pool, gate, orchestrator, cleaning-service-dummy]
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -50,14 +42,14 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           context: .
-          file: docker/${{ inputs.app }}/Dockerfile
-          tags: bpdm-${{ inputs.app }}:test
+          file: docker/${{ matrix.app }}/Dockerfile
+          tags: bpdm-${{ matrix.app }}:test
           load: true
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.29.0
         with:
-          image-ref: "bpdm-${{ inputs.app }}:test"
+          image-ref: "bpdm-${{ matrix.app }}:test"
           exit-code: "1"
           severity: "CRITICAL,HIGH"
-          timeout: 15m
\ No newline at end of file
+          timeout: 15m
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index e244bcf85..603abd418 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -26,6 +26,7 @@ on:
   push:
     branches:
       - main
+      - 'release/**'
   schedule:
     # Once a day
     - cron: "0 0 * * *"
@@ -33,162 +34,43 @@ on:
   workflow_dispatch:
 
 jobs:
-  analyze-config:
+  scan-app:
     runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
       security-events: write
-
+    strategy:
+      matrix:
+        app: [pool, gate, orchestrator, cleaning-service-dummy]
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.28.0
-        with:
-          scan-type: "config"
-          # ignore-unfixed: true
-          exit-code: "0"
-          hide-progress: false
-          format: "sarif"
-          output: "trivy-results1.sarif"
-          severity: "CRITICAL,HIGH"
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
+      - name: Build App Image
+        uses: docker/build-push-action@v6
         with:
-          sarif_file: "trivy-results1.sarif"
-  
-  analyze-product-bpdm-pool:
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-      packages: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
+          context: .
+          file: docker/${{ matrix.app }}/Dockerfile
+          tags: bpdm-${{ matrix.app }}:test
+          load: true
 
       - name: Run Trivy vulnerability scanner
-        if: always()
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.29.0
         with:
-          # Path to Docker image
-          image-ref: "docker.io/tractusx/bpdm-pool:latest"
+          image-ref: "bpdm-${{ matrix.app }}:test"
           format: "sarif"
-          output: "trivy-results2.sarif"
-          exit-code: "0"
+          output: "trivy-${{ matrix.app }}-results.sarif"
           severity: "CRITICAL,HIGH"
-          timeout: 15m
-        env:
-          TRIVY_USERNAME: ${{ github.actor }}
-          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: "trivy-results2.sarif"
-  
-  analyze-product-bpdm-gate:
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-      packages: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Run Trivy vulnerability scanner
-        if: always()
-        uses: aquasecurity/trivy-action@0.28.0
-        with:
-          # Path to Docker image
-          image-ref: "docker.io/tractusx/bpdm-gate:latest"
-          format: "sarif"
-          output: "trivy-results3.sarif"
-          exit-code: "0"
-          severity: "CRITICAL,HIGH"
-          timeout: 15m
-        env:
-          TRIVY_USERNAME: ${{ github.actor }}
-          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: "trivy-results3.sarif"
-
-  analyze-product-bpdm-cleaning-service-dummy:
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-      packages: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Run Trivy vulnerability scanner
-        if: always()
-        uses: aquasecurity/trivy-action@0.28.0
-        with:
-          # Path to Docker image
-          image-ref: "docker.io/tractusx/bpdm-cleaning-service-dummy:latest"
-          format: "sarif"
-          output: "trivy-results4.sarif"
-          exit-code: "0"
-          severity: "CRITICAL,HIGH"
-          timeout: 15m
-        env:
-          TRIVY_USERNAME: ${{ github.actor }}
-          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: "trivy-results4.sarif"
-
-  analyze-product-bpdm-orchestrator:
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-      packages: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Run Trivy vulnerability scanner
-        if: always()
-        uses: aquasecurity/trivy-action@0.28.0
-        with:
-          # Path to Docker image
-          image-ref: "docker.io/tractusx/bpdm-orchestrator:latest"
-          format: "sarif"
-          output: "trivy-results4.sarif"
-          exit-code: "0"
-          severity: "CRITICAL,HIGH"
-          timeout: 15m
-        env:
-          TRIVY_USERNAME: ${{ github.actor }}
-          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          hide-progress: false
+          exit-code: "1"
+          limit-severities-for-sarif: true
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: always()
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: "trivy-results4.sarif"
\ No newline at end of file
+          sarif_file: "trivy-${{ matrix.app }}-results.sarif"
\ No newline at end of file