[CI] Add linter workflow for Dockerfiles: Trivy

lukaszstolarczuk · lukaszstolarczuk · commit 30317f714866 · 2024-02-13T12:45:52.000+01:00
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,39 @@
+# Runs linter for Docker files
+name: Trivy
+
+on:
+  workflow_dispatch:
+  push:
+  pull_request:
+    paths:
+      - '.github/docker/*Dockerfile'
+      - '.github/workflows/trivy.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  trivy:
+    name: Trivy
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Clone the git repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Run Trivy
+        uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # v0.17.0
+        with:
+          scan-type: 'config'
+          hide-progress: false
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: 1  # Fail if issue found
+          # See .trivyignore file with suppressions
+
+      - name: Upload results
+        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,10 @@
+# Docs: https://aquasecurity.github.io/trivy/latest/docs/configuration/filtering/#trivyignore
+
+# In docker files:
+# non-root user is always created within docker, but we switch it only in CI workflows;
+# not enforcing non-root user makes it easier for developers to use their own users in local container
+AVD-DS-0002
+
+# In docker files:
+# HEALTHCHECK is not required for development, nor in CI (failed docker = failed CI)
+AVD-DS-0026
