chore: Update Trivy workflow and dependencies

Signed-off-by: Schubert Anselme <[email protected]>
anselmes · Oct 10, 2024 · 260c7ca · 260c7ca
1 parent 22d22b9
commit 260c7ca
Show file tree

Hide file tree

Showing 6 changed files with 58 additions and 51 deletions.
diff --git a/.github/actions/trivy/action.yml b/.github/actions/trivy/action.yml
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
@@ -16,12 +16,25 @@ jobs:
       issues: write
       pull-requests: write
       repository-projects: write
+
   trivy:
     uses: ./.github/workflows/trivy.yml
     permissions:
+      actions: read
+      attestations: read
+      checks: read
       contents: write
+      deployments: read
+      discussions: read
       id-token: write
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
       security-events: write
+      statuses: read
+
   scorecard:
     uses: ./.github/workflows/scorecard.yml
     permissions:
@@ -39,5 +52,6 @@ jobs:
       repository-projects: read
       security-events: write
       statuses: read
+
   # sonarqube:
   #   uses: ./.github/workflows/sonarqube.yml
diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml
@@ -50,19 +50,21 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: false
+
       - name: Cleanup cache
         shell: bash
         run: ./scripts/delete-gh-actions-cache.sh
         if: ${{ github.event_name == 'pull_request' && github.event.action == 'closed' }}
         env:
           BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           REPO: ${{ github.repository }}
+
       - name: Cleanup cache
         shell: bash
         run: ./scripts/delete-gh-actions-cache.sh
         if: ${{ github.event_name != 'pull_request' }}
         env:
           BRANCH: ${{ inputs.branch || github.ref }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
           REPO: ${{ github.repository }}
diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml
@@ -26,6 +26,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: false
+
       - name: Lint Code Base
         uses: github/super-linter@b807e99ddd37e444d189cfd2c2ca1274d8ae8ef1 # v7.1.0 https://github.com/super-linter/super-linter/commit/b92721f792f381cedc002ecdbb9847a15ece5bb8
         env:
@@ -36,6 +37,7 @@ jobs:
           VALIDATE_DOCKERFILE_HADOLINT: false # fixme: superlinter not using .hadolint.yaml
           VALIDATE_KUBERNETES_KUBECONFORM: false # fixme: enable kubeconform
           VALIDATE_YAML_PRETTIER: false # fixme: ignore symlink
+
       # - name: Trunk Check
       #   uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16 https://github.com/trunk-io/trunk-action/commit/86b68ffae610a05105e90b1f52ad8c549ef482c2
       #   with:
@@ -49,6 +51,7 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: false
+
       # - name: GitGuardian Scan
       #   uses: GitGuardian/ggshield-action@ed817b2930f8dbf32995b6d8bbf65499e6a4e3be # v1.31.0 https://github.com/GitGuardian/ggshield-action/commit/ed817b2930f8dbf32995b6d8bbf65499e6a4e3be
       #   env:
@@ -57,6 +60,7 @@ jobs:
       #     GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }}
       #     GITHUB_PUSH_BASE_SHA: ${{ github.event.before }}
       #     GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }}
+
       # - name: SonarQube Scan
       #   uses: sonarsource/sonarqube-scan-action@aecaf43ae57e412bd97d70ef9ce6076e672fe0a9 # v3.0.0 https://github.com/SonarSource/sonarqube-scan-action/commit/aecaf43ae57e412bd97d70ef9ce6076e672fe0a9
       #   env:
@@ -77,8 +81,10 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: false
+
       - name: Labeler
         uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 https://github.com/actions/labeler/commit/8558fd74291d67161a8a78ce36a881fa63b766a9
+
       - name: Dependency Review
         uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 https://github.com/actions/dependency-review-action/commit/5a2ce3f5b92ee19cbb1541a4984c76d921601d7c
         with:
@@ -101,5 +107,6 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: false
+
       - name: Auto-assign
         uses: kentaro-m/auto-assign-action@f4648c0a9fdb753479e9e75fc251f507ce17bb7e # v2.0.0 https://github.com/kentaro-m/auto-assign-action/commit/f4648c0a9fdb753479e9e75fc251f507ce17bb7e
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
@@ -14,9 +14,10 @@ jobs:
         with:
           fetch-depth: 0
           persist-credentials: false
+
       - name: SonarQube Quality Gate
         uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496 # v1.1.0 https://github.com/SonarSource/sonarqube-quality-gate-action/commit/d304d050d930b02a896b0f85935344f023928496
         timeout-minutes: 5
         env:
-          # SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -3,22 +3,44 @@ name: Trivy
 on:
   - workflow_call
 
-permissions:
-  contents: write
-  id-token: write
-  security-events: write
+permissions: read-all
 
 jobs:
   trivy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.1.7  https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332
         with:
           fetch-depth: 0
           persist-credentials: false
-      - name: Trivy Scan
-        uses: ./.github/actions/trivy
-        # with:
-        #   generate-sbom: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
-        #   upload-scan-result: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 https://github.com/aquasecurity/trivy-action/commit/6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
+        with:
+          exit-code: 1
+          format: sarif
+          hide-progress: false
+          ignore-unfixed: true
+          output: trivy-results.sarif
+          scan-type: fs
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@b8efe4dc6ab6d31abe3ec159420d2a4916880800 # v3.26.6 https://github.com/github/codeql-action/commit/b8efe4dc6ab6d31abe3ec159420d2a4916880800
+        if: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
+        with:
+          sarif_file: trivy-results.sarif
+
+      - name: Run Trivy SBOM and submit results to Dependency Graph
+        uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.24.0 https://github.com/aquasecurity/trivy-action/commit/6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
+        if: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }}
+        with:
+          format: github
+          github-pat: ${{ github.token }}
+          image-ref: .
+          output: dependency-results.sbom.json
+          scan-type: fs