Merge pull request #1599 from lukaszstolarczuk/enable-trivy

wlemkows · web-flow · commit 0b302e60be18 · 2024-05-14T10:10:52.000+02:00
[CI] Change docker linter from hadolint to trivy
diff --git a/.github/docker/ubuntu-22.04.Dockerfile b/.github/docker/ubuntu-22.04.Dockerfile
@@ -67,7 +67,8 @@ RUN /opt/install_dpcpp.sh
 COPY install_libbacktrace.sh /opt/install_libbacktrace.sh
 RUN /opt/install_libbacktrace.sh
 
-# Add a new (non-root) 'user'
-ENV USER user
+# Add a new (non-root) 'test_user' and switch to it
+ENV USER test_user
 ENV USERPASS pass
 RUN useradd -m "${USER}" -g sudo -p "$(mkpasswd ${USERPASS})"
+USER test_user
diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,50 @@
+# Runs linter for Docker files
+name: Trivy
+
+on:
+  workflow_dispatch:
+  push:
+  pull_request:
+    paths:
+      - '.github/docker/*Dockerfile'
+      - '.github/workflows/trivy.yml'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  linux:
+    name: Trivy
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Run Trivy
+        uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # v0.17.0
+        with:
+          scan-type: 'config'
+          hide-progress: false
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: 1  # Fail if issue found
+          # file with suppressions: .trivyignore (in root dir)
+
+      - name: Print report and trivyignore file
+        run: |
+          echo "### Trivy ignore content:"
+          cat .trivyignore
+          echo "### Trivy report:"
+          cat trivy-results.sarif
+
+      - name: Upload results
+        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,6 @@
+# Docs: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#trivyignore
+
+# In docker files:
+# HEALTHCHECK is not required for development, nor in CI (failed docker = failed CI).
+# We're not hosting any application with usage of the dockers.
+AVD-DS-0026
