From b50fecfb02979d0045f82cf71ac13a28327c5e60 Mon Sep 17 00:00:00 2001
From: Senthilkumar Panneerselvam <senthil10@users.noreply.github.com>
Date: Fri, 10 Mar 2023 10:07:42 +0100
Subject: [PATCH] Add Trivy workflow

---
 .github/workflows/trivy-branch.yaml    | 40 +++++++++++++++++++++++
 .github/workflows/trivy-scheduled.yaml | 44 ++++++++++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 .github/workflows/trivy-branch.yaml
 create mode 100644 .github/workflows/trivy-scheduled.yaml

diff --git a/.github/workflows/trivy-branch.yaml b/.github/workflows/trivy-branch.yaml
new file mode 100644
index 0000000..2eb57b0
--- /dev/null
+++ b/.github/workflows/trivy-branch.yaml
@@ -0,0 +1,40 @@
+# Trivy: Scan of current branch
+# Trivy is a comprehensive and versatile security scanner.
+# Trivy has scanners that look for security issues, and targets where it can find those issues.
+# https://github.com/aquasecurity/trivy
+#
+# This runs on every push for every branch
+# ----------------------------------------
+
+name: Trivy - branch scan
+on:
+  pull_request:
+    push:
+      branches:
+        - master
+
+jobs:
+  scan:
+    permissions:
+      contents: read
+      security-events: write
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.9.2
+        with:
+          scan-type: "fs"
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: trivy-branch
diff --git a/.github/workflows/trivy-scheduled.yaml b/.github/workflows/trivy-scheduled.yaml
new file mode 100644
index 0000000..b4fb4ec
--- /dev/null
+++ b/.github/workflows/trivy-scheduled.yaml
@@ -0,0 +1,44 @@
+# Trivy: Scan of current branch
+# Trivy is a comprehensive and versatile security scanner.
+# Trivy has scanners that look for security issues, and targets where it can find those issues.
+# https://github.com/aquasecurity/trivy
+#
+# This runs on scheduled time (08:30 and 12:30)for the develop image
+# ------------------------------------------------------------------
+
+name: Trivy - scheduled scan
+
+on:
+  workflow_dispatch:
+    branches:
+      - master
+  schedule:
+    - cron: '30 8,12 * * *'
+
+jobs:
+  scan:
+    permissions:
+      contents: read
+      security-events: write
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Ensure lowercase name
+        run: echo REPOSITORY_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.9.2
+        with:
+          image-ref: 'ghcr.io/${{ env.REPOSITORY_OWNER }}/dsw-appendix:latest'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: trivy-cron