.github/workflows/trivy.yml

name: Trivy
on:
  push:
    branches: [ develop ]
  pull_request:
    branches: [ develop ]
    types: [opened, synchronize, reopened, ready_for_review]
jobs:
  build:
    if: github.event.pull_request.draft == false
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read #  only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
    name: Build
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Build an image from Dockerfile
        run: |
          docker build --pull -t docker.io/securefederatedai/openfl:${{ github.sha }} -f openfl-docker/Dockerfile.base .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results.sarif'
        env:
          TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
  
      - name: Run Trivy code vulnerability scanner (JSON Output)
        run: |
          trivy --quiet fs \
          --format json \
          --output trivy-code-results.json \
          --ignore-unfixed \
          --vuln-type os,library \
          --severity CRITICAL,HIGH,MEDIUM,LOW \
          --db-repository 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' \
          .

      - name: Upload Code Vulnerability Scan Results
        uses: actions/upload-artifact@v3
        with:
          name: trivy-code-report-json
          path: trivy-code-results.json
      
      - name: Run Trivy vulnerability scanner for Docker image (JSON Output)
        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
          format: 'json'
          output: 'trivy-docker-results.json'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
        env:
          TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'
  
      - name: Upload Docker Vulnerability Scan
        uses: actions/upload-artifact@v3
        with:
          name: trivy-docker-report-json
          path: trivy-docker-results.json

      - name: Run Trivy code vulnerability scanner (SPDX-JSON Output)
        run: |
          trivy --quiet fs \
          --format spdx-json \
          --output trivy-code-spdx-results.json \
          --ignore-unfixed \
          --vuln-type os,library \
          --severity CRITICAL,HIGH,MEDIUM,LOW \
          --db-repository 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' \
          .
  
      - name: Upload Code Vulnerability Scan Results
        uses: actions/upload-artifact@v3
        with:
          name: trivy-code-spdx-report-json
          path: trivy-code-spdx-results.json
        
      - name: Run Trivy vulnerability scanner for Docker image (SPDX-JSON Output)
        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
          format: 'spdx-json'
          output: 'trivy-docker-spdx-results.json'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
        env:
          TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'
    
      - name: Upload Docker Vulnerability Scan
        uses: actions/upload-artifact@v3
        with:
          name: trivy-docker-spdx-report-json
          path: trivy-docker-spdx-results.json