kube-HPC · RonShvarz · Sep 18, 2023 · Jul 6, 2023 · Jul 6, 2023 · Jul 6, 2023
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -46,18 +46,66 @@ jobs:
         env:
           DOCKER_HUB_PASS: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Run Trivy vulnerability scanner on the docker image
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: '${{ env.IMAGE_NAME }}'
-          severity: CRITICAL
-          format: 'sarif'
-          output: 'trivy-results.sarif'
+      - name: Install Trivy
+        run: |
+          wget https://github.com/aquasecurity/trivy/releases/download/v0.43.0/trivy_0.43.0_Linux-64bit.deb
+          sudo dpkg -i trivy_0.43.0_Linux-64bit.deb
+
+      - name: Run Trivy license scan on repo
+        run: trivy fs /home/runner/work --scanners license --license-full --severity 'HIGH,CRITICAL' > trivy_license_filesystem.txt
+
+      - name: Run Trivy vulnerability scanner on the repo
+        run: trivy fs /home/runner/work --severity 'HIGH,CRITICAL' --format sarif  --output trivy_vuln_filesystem.sarif
+
+      - name: Run Trivy license scan on image
+        run: trivy image --scanners license --license-full --severity 'HIGH,CRITICAL' '${{ env.IMAGE_NAME }}' > trivy_license_image.txt
+
+      - name: Run Trivy vulnerability scanner on image
+        run: trivy image --severity 'HIGH,CRITICAL' --format sarif  --output trivy_vuln_image.sarif '${{ env.IMAGE_NAME }}'
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Upload Trivy image vulnerability results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy_vuln_image.sarif'
+          category: 'Trivy-Vulnerability-Image'
+
+      - name: Upload Trivy repo vulnerability results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: 'trivy-results.sarif' 
+          sarif_file: 'trivy_vuln_filesystem.sarif'
+          category: 'Trivy-Vulnerability-Repo'
+
+      - name: Update a branch with scan results
+        run: |
+          git config --global user.email "action@github.com"
+          git config --global user.name "GitHub Action"
+
+          existed_in_remote=$(git ls-remote --heads origin trivy-scan-results)
+          if [[ ${existed_in_remote} ]]; then
+            echo "branch exists in remote"
+            git fetch origin trivy-scan-results
+            echo "branch fetched"
+            git checkout trivy-scan-results
+            echo "origin branch swapped"
+          else
+            git checkout -b trivy-scan-results
+            echo "new branch swapped"
+          fi
+
+          mkdir -p TrivyScans
+          TIMESTAMP=$(date +"%Y-%m-%d %H:%M:%S")
+          echo "$TIMESTAMP" > ScanTimeStamp.txt
+          cp ScanTimeStamp.txt TrivyScans/
+          cp trivy_license_filesystem.txt TrivyScans/
+          cp trivy_license_image.txt TrivyScans/
+          git add TrivyScans/trivy_license_filesystem.txt
+          git add TrivyScans/trivy_license_image.txt
+          git add TrivyScans/ScanTimeStamp.txt
+          git commit -m "Add trivy scan result files to the folder 'TrivyScans'"
+          git push origin trivy-scan-results
+
+      - name: Display branch and file path link
+        run: echo "Results uploaded to [trivy-scan-results branch](https://github.com/$GITHUB_REPOSITORY/tree/trivy-scan-results/TrivyScans/)"
 
       - name: trigger site docker
         id: trigger

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,74 @@
+# This is a basic workflow to help you get started with Actions
+
+name: TRIVY-SCAN
+
+# Controls when the action will run. 
+on:
+  workflow_dispatch:
+    inputs:
+      image-ref:
+        description: Full docker image path (e.g. docker.io/hkube/site:v1.2.3)
+        required: true
+        default: 'docker.io/hkube/site:v2.6.4'
+jobs:
+  # This workflow contains a single job called "scan_and_upload"
+  scan_and_upload:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install Trivy
+        run: |
+          wget https://github.com/aquasecurity/trivy/releases/download/v0.43.0/trivy_0.43.0_Linux-64bit.deb
+          sudo dpkg -i trivy_0.43.0_Linux-64bit.deb
+
+      - name: Run Trivy license scan on repo
+        run: trivy fs /home/runner/work --scanners license --license-full --severity 'HIGH,CRITICAL' --format json  --output trivy_license_filesystem.txt  
+
+      - name: Run Trivy vulnerability scanner on repo
+        run: trivy fs /home/runner/work --severity 'HIGH,CRITICAL' > trivy_vuln_filesystem.txt
+
+      - name: Run Trivy license scan on image
+        run: trivy image --scanners license --license-full --severity 'HIGH,CRITICAL' '${{ inputs.image-ref }}' > trivy_license_image.txt
+
+      - name: Run Trivy vulnerability scanner on image
+        run: trivy image --severity 'HIGH,CRITICAL' '${{ inputs.image-ref }}' > trivy_vuln_image.txt
+
+      - name: Update a branch with scan results
+        run: |
+          git config --global user.email "action@github.com"
+          git config --global user.name "GitHub Action"
+
+          existed_in_remote=$(git ls-remote --heads origin trivy-scan-results)
+          if [[ ${existed_in_remote} ]]; then
+            echo "branch exists in remote"
+            git fetch origin trivy-scan-results
+            echo "branch fetched"
+            git checkout trivy-scan-results
+            echo "origin branch swapped"
+          else
+            git checkout -b trivy-scan-results
+            echo "new branch swapped"
+          fi
+
+          mkdir -p TrivyScans
+          TIMESTAMP=$(date +"%Y-%m-%d %H:%M:%S")
+          echo "$TIMESTAMP" > ScanTimeStamp.txt
+          cp ScanTimeStamp.txt TrivyScans/
+          cp trivy_license_filesystem.txt TrivyScans/
+          cp trivy_vuln_filesystem.txt TrivyScans/
+          cp trivy_license_image.txt TrivyScans/
+          cp trivy_vuln_image.txt TrivyScans/
+          git add TrivyScans/trivy_license_filesystem.txt
+          git add TrivyScans/trivy_vuln_filesystem.txt
+          git add TrivyScans/trivy_license_image.txt
+          git add TrivyScans/trivy_vuln_image.txt
+          git add TrivyScans/ScanTimeStamp.txt
+          git commit -m "Add trivy scan result files to the folder 'TrivyScans'"
+          git push origin trivy-scan-results
+
+
+      - name: Display branch link
+        run: echo "Results uploaded to [trivy-scan-results branch](https://github.com/$GITHUB_REPOSITORY/tree/trivy-scan-results/TrivyScans/)"
+        if: always()
diff --git a/.github/workflows/trivy_docker.yaml b/.github/workflows/trivy_docker.yaml