From 80b44d2cd98e439467697dea97c78eb907fd7423 Mon Sep 17 00:00:00 2001
From: Saku K <6057704+saku-koodari@users.noreply.github.com>
Date: Wed, 8 Jan 2025 15:35:57 +0200
Subject: [PATCH 1/2] chore(scripts): create a script to check trivy

---
 scripts/run_trivy.sh | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100755 scripts/run_trivy.sh

diff --git a/scripts/run_trivy.sh b/scripts/run_trivy.sh
new file mode 100755
index 00000000..a4c8d526
--- /dev/null
+++ b/scripts/run_trivy.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+source "$( dirname "${BASH_SOURCE[0]}" )/common-functions.sh"
+
+repo="https://github.com/Opetushallitus/koto-rekisteri"
+reportDir="temp"
+repoName="koto-rekisteri"
+trivyImage=aquasec/trivy:latest
+
+docker pull ${trivyImage}
+
+docker run --rm \
+  --volume trivy-cache:/trivy-cache \
+  --volume ${reportDir}:/reports \
+  ${trivyImage} \
+  repo ${repo} \
+  --cache-dir /trivy-cache \
+  --scanners vuln \
+  --format json \
+  --output /reports/${repoName}_trivy.json

From ae31eddf3abc647fc3e000d06a495ef73b6e444f Mon Sep 17 00:00:00 2001
From: Saku K <6057704+saku-koodari@users.noreply.github.com>
Date: Wed, 8 Jan 2025 15:46:47 +0200
Subject: [PATCH 2/2] feat(.github): add trivy to pipeline

---
 .github/workflows/build.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 15f79c73..13e29be6 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -149,6 +149,18 @@ jobs:
       - name: Check formatting
         run: ./scripts/check-formatting.sh
 
+  security_scan:
+    name: Security scan with trivy
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Scan with trivy
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+          trivy-config: trivy.yaml
+
   build_image:
     name: Build image
     runs-on: ubuntu-24.04