From 6376762bd4b58ac0278e655ca66bfdfca74adf1c Mon Sep 17 00:00:00 2001
From: Binbin Li <libinbin@microsoft.com>
Date: Wed, 16 Oct 2024 13:05:56 +0800
Subject: [PATCH] ci: replace trivy with trivy-action (#1871)

Signed-off-by: Binbin Li <libinbin050215@gmail.com>
---
 .github/workflows/scan-vulns.yaml | 70 ++++++++++++++++++++++---------
 1 file changed, 50 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml
index b2ead2507..ad2d2fb54 100644
--- a/.github/workflows/scan-vulns.yaml
+++ b/.github/workflows/scan-vulns.yaml
@@ -37,6 +37,8 @@ jobs:
     name: "[Trivy] Scan for vulnerabilities"
     runs-on: ubuntu-22.04
     timeout-minutes: 15
+    env:
+      TRIVY_VERSION: v0.49.1
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -46,30 +48,58 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
 
-      - name: Download trivy
-        run: |
-          pushd $(mktemp -d)
-          wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
-          tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
-          echo "$(pwd)" >> $GITHUB_PATH
-        env:
-          TRIVY_VERSION: "0.46.0"
+      - name: Manual Trivy Setup
+        uses: aquasecurity/setup-trivy@eadb05c36f891dc855bba00f67174a1e61528cd4 # v0.2.1
+        with:
+          cache: true
+          version: ${{ env.TRIVY_VERSION }}
 
       - name: Run trivy on git repository
-        run: |
-          trivy fs --format table --ignore-unfixed --scanners vuln .
+        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          ignore-unfixed: true
+          scanners: 'vuln'
+          version: ${{ env.TRIVY_VERSION }}
 
       - name: Build docker images
         run: |
           make e2e-build-local-ratify-image
           make e2e-build-crd-image
-      - name: Run trivy on images for all severity
-        run: |
-          for img in "localbuild:test" "localbuildcrd:test"; do
-              trivy image --ignore-unfixed --vuln-type="os,library" "${img}"
-          done
-      - name: Run trivy on images and exit on HIGH severity
-        run: |
-          for img in "localbuild:test" "localbuildcrd:test"; do
-              trivy image --ignore-unfixed --exit-code 1 --severity HIGH --vuln-type="os,library" "${img}"
-          done
+      
+      - name: Run Trivy vulnerability scanner on localbuild:test
+        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
+        with:
+          scan-type: 'image'
+          image-ref: 'localbuild:test'
+          ignore-unfixed: true
+          version: ${{ env.TRIVY_VERSION }}
+
+      - name: Run Trivy vulnerability scanner on localbuildcrd:test
+        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
+        with:
+          scan-type: 'image'
+          image-ref: 'localbuildcrd:test'
+          ignore-unfixed: true
+          version: ${{ env.TRIVY_VERSION }}
+
+      - name: Run Trivy vulnerability scanner on localbuild:test and exit on HIGH severity
+        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
+        with:
+          scan-type: 'image'
+          image-ref: 'localbuild:test'
+          ignore-unfixed: true
+          severity: 'HIGH,CRITICAL'
+          exit-code: '1'
+          version: ${{ env.TRIVY_VERSION }}
+
+      - name: Run Trivy vulnerability scanner on localbuildcrd:test and exit on HIGH severity
+        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
+        with:
+          scan-type: 'image'
+          image-ref: 'localbuildcrd:test'
+          ignore-unfixed: true
+          severity: 'HIGH,CRITICAL'
+          exit-code: '1'
+          version: ${{ env.TRIVY_VERSION }}
\ No newline at end of file