.github/workflows/trivyimagescan.yaml

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: trivy_image_scan

on:
  push:
    branches:
    - master
  pull_request:

permissions:
  contents: read

jobs:
    trivy_image_scan-as-vending:
      permissions:
        contents: read # for actions/checkout to fetch code
        security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
        actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
      # as-vending
      name: trivy_image_scan-as-vending
      runs-on: "ubuntu-latest"
      steps:
        - name: Checkout code
          uses: actions/checkout@v3

        - name: Build an image from Dockerfile
          run: |
            echo "running make docker as-vending"
            cd as-vending
            make docker
        - name: Run Trivy vulnerability scanner
          uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
          with:
            image-ref: 'automated-checkout/as-vending:dev'
            format: 'template'
            template: '@/contrib/sarif.tpl'
            output: 'trivy-results-as-vending.sarif'
            severity: 'CRITICAL,HIGH'
        - name: Upload Trivy scan results to GitHub Security tab
          uses: github/codeql-action/upload-sarif@v2
          with:
            sarif_file: 'trivy-results-as-vending.sarif'
    # as-controller-board-status
    trivy_image_scan-as-controller-board-status:
      permissions:
        contents: read # for actions/checkout to fetch code
        security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
        actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
      name: trivy_image_scan-as-controller-board-status
      runs-on: "ubuntu-latest"
      steps:
        - name: Checkout code
          uses: actions/checkout@v3

        - name: Build an image from Dockerfile
          run: |
            echo "running make docker as-controller-board-status"
            cd as-controller-board-status
            make docker
        - name: Run Trivy vulnerability scanner
          uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
          with:
            image-ref: 'automated-checkout/as-controller-board-status:dev'
            format: 'template'
            template: '@/contrib/sarif.tpl'
            output: 'trivy-results-as-controller-board-status.sarif'
            severity: 'CRITICAL,HIGH'
        - name: Upload Trivy scan results to GitHub Security tab
          uses: github/codeql-action/upload-sarif@v2
          with:
            sarif_file: 'trivy-results-as-controller-board-status.sarif'
    # ds-card-reader
    trivy_image_scan-ds-card-reader:
      permissions:
        contents: read # for actions/checkout to fetch code
        security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
        actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
      name: trivy_image_scan-ds-card-reader
      runs-on: "ubuntu-latest"
      steps:
        - name: Checkout code
          uses: actions/checkout@v3

        - name: Build an image from Dockerfile
          run: |
            echo "running make docker ds-card-reader"
            cd ds-card-reader
            make docker
        - name: Run Trivy vulnerability scanner
          uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
          with:
            image-ref: 'automated-checkout/ds-card-reader:dev'
            format: 'template'
            template: '@/contrib/sarif.tpl'
            output: 'trivy-results-ds-card-reader.sarif'
            severity: 'CRITICAL,HIGH'
        - name: Upload Trivy scan results to GitHub Security tab
          uses: github/codeql-action/upload-sarif@v2
          with:
            sarif_file: 'trivy-results-ds-card-reader.sarif'
    # ds-controller-board
    trivy_image_scan-ds-controller-board:
      permissions:
        contents: read # for actions/checkout to fetch code
        security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
        actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
      name: trivy_image_scan-ds-controller-board
      runs-on: "ubuntu-latest"
      steps:
        - name: Checkout code
          uses: actions/checkout@v3

        - name: Build an image from Dockerfile
          run: |
            echo "running make docker ds-controller-board"
            cd ds-controller-board
            make docker
        - name: Run Trivy vulnerability scanner
          uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
          with:
            image-ref: 'automated-checkout/ds-controller-board:dev'
            format: 'template'
            template: '@/contrib/sarif.tpl'
            output: 'trivy-results-ds-controller-board.sarif'
            severity: 'CRITICAL,HIGH'
        - name: Upload Trivy scan results to GitHub Security tab
          uses: github/codeql-action/upload-sarif@v2
          with:
            sarif_file: 'trivy-results-ds-controller-board.sarif'
    # ms-authentication
    trivy_image_scan-ms-authentication:
      permissions:
        contents: read # for actions/checkout to fetch code
        security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
        actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
      name: trivy_image_scan-ms-authentication
      runs-on: "ubuntu-latest"
      steps:
        - name: Checkout code
          uses: actions/checkout@v3

        - name: Build an image from Dockerfile
          run: |
            echo "running make docker ms-authentication"
            cd ms-authentication
            make docker
        - name: Run Trivy vulnerability scanner
          uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
          with:
            image-ref: 'automated-checkout/ms-authentication:dev'
            format: 'template'
            template: '@/contrib/sarif.tpl'
            output: 'trivy-results-ms-authentication.sarif'
            severity: 'CRITICAL,HIGH'
        - name: Upload Trivy scan results to GitHub Security tab
          uses: github/codeql-action/upload-sarif@v2
          with:
            sarif_file: 'trivy-results-ms-authentication.sarif'
    # ms-inventory
    trivy_image_scan-ms-inventory:
      permissions:
        contents: read # for actions/checkout to fetch code
        security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
        actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
      name: trivy_image_scan-ms-inventory
      runs-on: "ubuntu-latest"
      steps:
        - name: Checkout code
          uses: actions/checkout@v3

        - name: Build an image from Dockerfile
          run: |
            echo "running make docker ms-inventory"
            cd ms-inventory
            make docker
        - name: Run Trivy vulnerability scanner
          uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
          with:
            image-ref: 'automated-checkout/ms-inventory:dev'
            format: 'template'
            template: '@/contrib/sarif.tpl'
            output: 'trivy-results-ms-inventory.sarif'
            severity: 'CRITICAL,HIGH'
        - name: Upload Trivy scan results to GitHub Security tab
          uses: github/codeql-action/upload-sarif@v2
          with:
            sarif_file: 'trivy-results-ms-inventory.sarif'
    # ms-ledger
    trivy_image_scan-ms-ledger:
      permissions:
        contents: read # for actions/checkout to fetch code
        security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
        actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
      name: trivy_image_scan-ms-ledger
      runs-on: "ubuntu-latest"
      steps:
        - name: Checkout code
          uses: actions/checkout@v3

        - name: Build an image from Dockerfile
          run: |
            echo "running make docker ms-ledger"
            cd ms-ledger
            make docker
        - name: Run Trivy vulnerability scanner
          uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
          with:
            image-ref: 'automated-vending/ms-ledger:dev'
            format: 'template'
            template: '@/contrib/sarif.tpl'
            output: 'trivy-results-ms-ledger.sarif'
            severity: 'CRITICAL,HIGH'
        - name: Upload Trivy scan results to GitHub Security tab
          uses: github/codeql-action/upload-sarif@v2
          with:
            sarif_file: 'trivy-results-ms-ledger.sarif'