From 00f68703eb010328b39e75622c656f94c910a1f1 Mon Sep 17 00:00:00 2001
From: Jon Hadfield <jon@lessknown.co.uk>
Date: Sat, 16 Mar 2024 17:48:50 +0000
Subject: [PATCH] add trivy.

---
 .github/workflows/codeql-analysis.yml | 45 ++++++++++++++++++++++++
 .github/workflows/trivy.yml           | 49 +++++++++++++++++++++++++++
 2 files changed, 94 insertions(+)
 create mode 100644 .github/workflows/codeql-analysis.yml
 create mode 100644 .github/workflows/trivy.yml

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 0000000..c42c6c8
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,45 @@
+name: "CodeQL"
+
+on:
+  push:
+#     branches: [ main ]
+    branches:
+      - main
+      - master
+      - fix_integrations
+  pull_request:
+    branches:
+    - main
+    - master
+    - fix_integrations
+  schedule:
+    - cron: '25 23 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
new file mode 100644
index 0000000..a126e84
--- /dev/null
+++ b/.github/workflows/trivy.yml
@@ -0,0 +1,49 @@
+name: "Code Scanning"
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 0 * * 1'
+  watch:
+    types: [started]
+
+jobs:
+  Trivy-Scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+#      - name: Build an image from Dockerfile
+#        run: |
+#          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+#
+#      - name: Run Trivy vulnerability scanner in docker mode
+#        uses: aquasecurity/trivy-action@master
+#        with:
+#          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+#          format: 'template'
+#          template: '@/contrib/sarif.tpl'
+#          output: 'trivy-results-docker.sarif'
+#          severity: 'CRITICAL'
+#
+#      - name: Upload Trivy scan results to GitHub Security tab
+#        uses: github/codeql-action/upload-sarif@v1
+#        with:
+#          sarif_file: 'trivy-results-docker.sarif'
+
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL'
+
+      - name: DEBUG Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'