From 76d5ff7cd47d4888b34cbf9e3ac5507e0687cf20 Mon Sep 17 00:00:00 2001
From: Yunchu Lee <yunchu.lee@intel.com>
Date: Mon, 15 Jul 2024 09:44:41 +0900
Subject: [PATCH] update trivy scanning job

---
 .ci/trivy-json.yaml              |  6 ++++++
 .ci/trivy.yaml                   |  3 ++-
 .github/workflows/code_scan.yaml | 11 +++++++++--
 3 files changed, 17 insertions(+), 3 deletions(-)
 create mode 100644 .ci/trivy-json.yaml

diff --git a/.ci/trivy-json.yaml b/.ci/trivy-json.yaml
new file mode 100644
index 00000000000..79811807509
--- /dev/null
+++ b/.ci/trivy-json.yaml
@@ -0,0 +1,6 @@
+ignore-policy: ""
+ignorefile: .trivyignore
+format: spdx-json
+output: trivy-results.spdx.json
+list-all-pkgs: true
+debug: true
diff --git a/.ci/trivy.yaml b/.ci/trivy.yaml
index 4049a5d7adc..c576d56bcae 100644
--- a/.ci/trivy.yaml
+++ b/.ci/trivy.yaml
@@ -6,7 +6,8 @@ scan:
     - vuln
     - secret
   slow: false
-severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+severity: MEDIUM,HIGH,CRITICAL
+exit-code: 1
 vulnerability:
   ignore-unfixed: false
 format: template
diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml
index 42d359dc524..6001d5c5f29 100644
--- a/.github/workflows/code_scan.yaml
+++ b/.github/workflows/code_scan.yaml
@@ -27,18 +27,25 @@ jobs:
         run: python -m pip install --require-hashes --no-deps -r .ci/requirements.txt
       - name: Freeze dependencies
         run: pip-compile --extra=docs,base,mmlab,anomaly -o requirements.txt pyproject.toml
+      - name: Trivy Scanning (spdx.json)
+        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
+        with:
+          trivy-config: ".ci/trivy-json.yaml"
+          scan-type: "fs"
+          scan-ref: .
       - name: Trivy Scanning
         uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
         with:
           trivy-config: ".ci/trivy.yaml"
           scan-type: "fs"
           scan-ref: .
-          scanners: vuln,secret
       - name: Upload Trivy results artifact
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: trivy-results
-          path: "${{ github.workspace }}/trivy-results.csv"
+          path: "${{ github.workspace }}/trivy-results.*"
+        # Use always() to always run this step to publish scan results when there are test failures
+        if: ${{ always() }}
   Bandit:
     runs-on: ubuntu-latest
     steps: