Update trivy worflow (#3416)

* update trivy worflow

* update

* generate requirements.txt to tmp path to isolate product deps only

* update to use runner.temp path

* change requirements.txt output path for trivy

* update bandit config to exclude tools folder

.ci/ipas_default.config

@@ -97,6 +97,11 @@ exclude_dirs: [
   '.vscode/',
   '.git/',
   'build/',
+  'tools/',
+]
+
+targets: [
+  'src',
 ]
 
 ### (optional) plugin settings - some test plugins require configuration data

.ci/trivy.yaml → .ci/trivy-csv.yaml

@@ -9,3 +9,8 @@ scan:
 severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
 vulnerability:
   ignore-unfixed: false
+format: template
+template: "@.ci/csv.tmpl"
+output: trivy-results.csv
+list-all-pkgs: true
+debug: true

.ci/trivy-json.yaml

@@ -0,0 +1,6 @@
+ignore-policy: ""
+ignorefile: .trivyignore
+format: spdx-json
+output: trivy-results.spdx.json
+list-all-pkgs: true
+debug: true

.github/workflows/code_scan.yml

@@ -15,7 +15,7 @@ permissions: read-all
 
 jobs:
   Trivy-scan:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -26,22 +26,27 @@ jobs:
       - name: Install dependencies
         run: |
           pip install --require-hashes --no-deps -r requirements/gh-actions.txt
-          pip-compile --generate-hashes -o /tmp/otx-dev-requirements.txt requirements/dev.txt
-          pip install --require-hashes --no-deps -r /tmp/otx-dev-requirements.txt
-      - name: Trivy Scanning
-        env:
-          TRIVY_DOWNLOAD_URL: ${{ vars.TRIVY_DOWNLOAD_URL }}
-        run: tox -vv -e trivy-scan
+          pip-compile --extra=full -o requirements.txt setup.py
+      - name: Trivy Scanning (CSV)
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0
+        with:
+          trivy-config: ".ci/trivy-csv.yaml"
+          scan-type: "fs"
+          scan-ref: .
+          scanners: vuln,secret
+      - name: Trivy Scanning (spdx.json)
+        uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0
+        with:
+          trivy-config: ".ci/trivy-json.yaml"
+          scan-type: "fs"
+          scan-ref: .
       - name: Upload Trivy results artifact
         uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: trivy-results
-          path: |
-            .tox/trivy-spdx-otx.json
-            .tox/trivy-results-otx.txt
-            .tox/trivy-results-otx.csv
+          path: trivy-results*
   Bandit:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -52,9 +57,8 @@ jobs:
       - name: Install dependencies
         run: |
           pip install --require-hashes --no-deps -r requirements/gh-actions.txt
-          pip-compile --generate-hashes -o /tmp/otx-dev-requirements.txt requirements/dev.txt
-          pip install --require-hashes --no-deps -r /tmp/otx-dev-requirements.txt
-          rm /tmp/otx-dev-requirements.txt
+          pip-compile --generate-hashes -o ${{ runner.temp }}/requirements.txt requirements/dev.txt
+          pip install --require-hashes --no-deps -r ${{ runner.temp }}/requirements.txt
       - name: Bandit Scanning
         run: tox -e bandit-scan
       - name: Upload Bandit artifact

tox.ini

@@ -165,4 +165,4 @@ deps =
 allowlist_externals =
     bandit
 commands =
-    - bandit -r -c .ci/ipas_default.config {toxinidir}/ -f txt -o {toxworkdir}/bandit-report.txt
+    bandit -r -c .ci/ipas_default.config {toxinidir}/ -f txt -o {toxworkdir}/bandit-report.txt