.github/workflows/trivy-scan.yml

name: trivy-scanning

on:
  push:
    branches:
      - develop
  workflow_dispatch:

permissions: write-all

jobs:
  repo-scan:
    name: Trivy Repo Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@0.28.0
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'HIGH,CRITICAL'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

  image-scans:
    name: Trivy Image Scans
    runs-on: ubuntu-latest
    strategy:
      matrix:
        service:
          - { name: "forms-flow-bpm", tag: "latest" }
          - { name: "forms-flow-forms", tag: "latest" }
          - { name: "forms-flow-webapi", tag: "latest" }
          - { name: "forms-flow-web", tag: "latest" }
          - { name: "redash", tag: "24.04.0" }
          - { name: "forms-flow-data-analysis-api", tag: "latest" }
          - { name: "forms-flow-documents-api", tag: "latest" }
    steps:
      - name: Install Trivy
        run: |
          sudo apt-get update
          sudo apt-get install -y wget apt-transport-https gnupg
          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
          echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
          sudo apt-get update
          sudo apt-get install -y trivy

      - name: Download Trivy HTML Template
        run: wget https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl -O html.tpl

      - name: Run Trivy Vulnerability Scanner
        run: |
          trivy image \
          --template @html.tpl \
          --format template \
          --vuln-type os,library \
          --severity CRITICAL,HIGH,MEDIUM \
          --scanners vuln,secret,misconfig,license \
          --output trivy-${{ matrix.service.name }}-results.html \
          docker.io/formsflow/${{ matrix.service.name }}:${{ matrix.service.tag }}

      - name: Upload Trivy Image Scan Results
        uses: actions/upload-artifact@v3
        with:
          name: trivy-${{ matrix.service.name }}-results
          path: trivy-${{ matrix.service.name }}-results.html