From 7954f0ee6f2a73213bdeb60d4e8c5dc22efffdce Mon Sep 17 00:00:00 2001
From: Arthur Deierlein <arthur.deierlein@adfinis.com>
Date: Fri, 12 Apr 2024 12:40:37 +0200
Subject: [PATCH] chore(ci): add vulnerability scanning

---
 .github/workflows/schedule.yaml   | 14 +++++++++
 .github/workflows/trivy-scan.yaml | 48 +++++++++++++++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 .github/workflows/schedule.yaml
 create mode 100644 .github/workflows/trivy-scan.yaml

diff --git a/.github/workflows/schedule.yaml b/.github/workflows/schedule.yaml
new file mode 100644
index 00000000..4dda741b
--- /dev/null
+++ b/.github/workflows/schedule.yaml
@@ -0,0 +1,14 @@
+---
+name: Schedule
+
+on:
+  schedule:
+    - cron: 11 15 * * *
+  workflow_dispatch:
+
+jobs:
+  scan-backend:
+    name: Scan backend image
+    uses: ./.github/workflows/trivy-scan.yaml
+    with:
+      image-ref: ghcr.io/adfinis/timed-backend
diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml
new file mode 100644
index 00000000..6bc154f1
--- /dev/null
+++ b/.github/workflows/trivy-scan.yaml
@@ -0,0 +1,48 @@
+---
+name: Trivy Scan
+
+on:
+  workflow_call:
+    inputs:
+      image-ref:
+        required: true
+        type: string
+        description: The image to scan e.g. ghcr.io/owner/image
+
+jobs:
+  trivy-scan:
+    permissions:
+      actions: none
+      checks: none
+      contents: none
+      deployments: none
+      issues: none
+      packages: write
+      pull-requests: none
+      repository-projects: none
+      security-events: write
+      statuses: none
+      id-token: none
+
+    runs-on: ubuntu-latest
+    name: Scan ${{ inputs.image-ref }}
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.19.0
+        with:
+          image-ref: ${{ inputs.image-ref }}
+          format: "sarif"
+          output: "trivy.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: "trivy.sarif"