From 18aabed65326a7a0a22a67fe09a842b205c0f6c1 Mon Sep 17 00:00:00 2001
From: Daniel Jovanovic <daniel.jovanovic@geowerkstatt.ch>
Date: Thu, 7 Nov 2024 13:13:21 +0100
Subject: [PATCH 1/8] Add docker container image scan with Trivy

---
 .github/workflows/trivy.yml | 41 +++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 .github/workflows/trivy.yml

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
new file mode 100644
index 0000000..da9a83e
--- /dev/null
+++ b/.github/workflows/trivy.yml
@@ -0,0 +1,41 @@
+name: trivy
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '44 1 * * 3'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    permissions:
+      contents: read
+      security-events: write
+    name: Analyze
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build image from Dockerfile
+        run: |
+          docker build --build-arg VERSION=$GITHUB_RUN_NUMBER --build-arg REVISION=${{ github.sha }} -t ghcr.io/geowerkstatt/interlis-check-service:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+        with:
+          image-ref: 'ghcr.io/geowerkstatt/interlis-check-service:${{ github.sha }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'

From a0cfd9625a1cfc57faf2e646bc8d4b702cce4495 Mon Sep 17 00:00:00 2001
From: Daniel Jovanovic <daniel.jovanovic@geowerkstatt.ch>
Date: Thu, 7 Nov 2024 13:16:26 +0100
Subject: [PATCH 2/8] Update name

---
 .github/workflows/trivy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index da9a83e..d86480e 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -1,4 +1,4 @@
-name: trivy
+name: Trivy
 
 on:
   push:

From 62762cb7372d866cfbcd387f5c21c818cd766681 Mon Sep 17 00:00:00 2001
From: Daniel Jovanovic <daniel.jovanovic@geowerkstatt.ch>
Date: Thu, 7 Nov 2024 13:29:54 +0100
Subject: [PATCH 3/8] Use Amazon DB repository

Workaround for https://github.com/aquasecurity/trivy-action/issues/389
---
 .github/workflows/trivy.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index d86480e..5123841 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -28,6 +28,8 @@ jobs:
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 # Addresses https://github.com/aquasecurity/trivy-action/issues/389
         with:
           image-ref: 'ghcr.io/geowerkstatt/interlis-check-service:${{ github.sha }}'
           format: 'template'

From 71340220e9ecf066bd3b4b434405c3c0b37f7b6b Mon Sep 17 00:00:00 2001
From: Daniel Jovanovic <daniel.jovanovic@geowerkstatt.ch>
Date: Thu, 7 Nov 2024 13:46:09 +0100
Subject: [PATCH 4/8] Update trivy.yml

---
 .github/workflows/trivy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 5123841..3a62bf7 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -29,7 +29,7 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
         env:
-          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 # Addresses https://github.com/aquasecurity/trivy-action/issues/389
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db # Addresses https://github.com/aquasecurity/trivy-action/issues/389
         with:
           image-ref: 'ghcr.io/geowerkstatt/interlis-check-service:${{ github.sha }}'
           format: 'template'

From 0675d3285cd7a2ab45c192bad4e87c4deb0cd425 Mon Sep 17 00:00:00 2001
From: Daniel Jovanovic <daniel.jovanovic@geowerkstatt.ch>
Date: Thu, 7 Nov 2024 13:53:31 +0100
Subject: [PATCH 5/8] Update trivy.yml

---
 .github/workflows/trivy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 3a62bf7..3341d7e 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -29,7 +29,7 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
         env:
-          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db # Addresses https://github.com/aquasecurity/trivy-action/issues/389
+          ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Addresses https://github.com/aquasecurity/trivy-action/issues/389
         with:
           image-ref: 'ghcr.io/geowerkstatt/interlis-check-service:${{ github.sha }}'
           format: 'template'

From 7696c5d0e0c9dcfa5d0733e99448485f583ec519 Mon Sep 17 00:00:00 2001
From: Daniel Jovanovic <daniel.jovanovic@geowerkstatt.ch>
Date: Thu, 7 Nov 2024 14:29:24 +0100
Subject: [PATCH 6/8] Use environment variable whenever possible.

Co-authored-by: Oliver Gut <oliver.gut@geowerkstatt.ch>
---
 .github/workflows/trivy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 3341d7e..c412099 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -24,7 +24,7 @@ jobs:
 
       - name: Build image from Dockerfile
         run: |
-          docker build --build-arg VERSION=$GITHUB_RUN_NUMBER --build-arg REVISION=${{ github.sha }} -t ghcr.io/geowerkstatt/interlis-check-service:${{ github.sha }} .
+          docker build --build-arg VERSION=$GITHUB_RUN_NUMBER --build-arg REVISION=${{ github.sha }} -t ghcr.io/$GITHUB_REPOSITORY:${{ github.sha }} .
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe

From 376a4646c571900194d3f05f36383a1aa4e87863 Mon Sep 17 00:00:00 2001
From: danjov <daniel.jovanovic@geowerkstatt.ch>
Date: Thu, 7 Nov 2024 14:41:56 +0100
Subject: [PATCH 7/8] Use env variable for docker image name

---
 .github/workflows/trivy.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index c412099..7d7625a 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -22,16 +22,20 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Set environment variables
+        run: |
+          echo IMAGE_NAME=$REGISTRY/$(echo ${GITHUB_REPOSITORY,,}) >> $GITHUB_ENV
+
       - name: Build image from Dockerfile
         run: |
-          docker build --build-arg VERSION=$GITHUB_RUN_NUMBER --build-arg REVISION=${{ github.sha }} -t ghcr.io/$GITHUB_REPOSITORY:${{ github.sha }} .
+          docker build --build-arg VERSION=$GITHUB_RUN_NUMBER --build-arg REVISION=${{ github.sha }} -t ${{ env.IMAGE_NAME }}:${{ github.sha }} .
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
         env:
           ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Addresses https://github.com/aquasecurity/trivy-action/issues/389
         with:
-          image-ref: 'ghcr.io/geowerkstatt/interlis-check-service:${{ github.sha }}'
+          image-ref: '${{ env.IMAGE_NAME }}:${{ github.sha }}'
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'trivy-results.sarif'

From 16136ddb9bc70cde67b4ea37b667634e951241a3 Mon Sep 17 00:00:00 2001
From: danjov <daniel.jovanovic@geowerkstatt.ch>
Date: Thu, 7 Nov 2024 14:44:47 +0100
Subject: [PATCH 8/8] Add missing registry url

---
 .github/workflows/trivy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 7d7625a..1d85727 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -24,7 +24,7 @@ jobs:
 
       - name: Set environment variables
         run: |
-          echo IMAGE_NAME=$REGISTRY/$(echo ${GITHUB_REPOSITORY,,}) >> $GITHUB_ENV
+          echo IMAGE_NAME=ghcr.io/$REGISTRY/$(echo ${GITHUB_REPOSITORY,,}) >> $GITHUB_ENV
 
       - name: Build image from Dockerfile
         run: |