From 161bddc54b7497c8721d3c20c11a29b4ffa043fb Mon Sep 17 00:00:00 2001
From: Kai Reichart <kai.reichart@t-systems.com>
Date: Thu, 28 Nov 2024 14:20:21 +0100
Subject: [PATCH] added trivy scanning

---
 .github/workflows/trivy-image-scan-test.yml |  6 ++++++
 .github/workflows/trivy-image-scan.yml      | 23 +++++++++++++++++++++
 README.md                                   | 21 +++++++++++++++++++
 3 files changed, 50 insertions(+)
 create mode 100644 .github/workflows/trivy-image-scan-test.yml
 create mode 100644 .github/workflows/trivy-image-scan.yml

diff --git a/.github/workflows/trivy-image-scan-test.yml b/.github/workflows/trivy-image-scan-test.yml
new file mode 100644
index 0000000..f447a8d
--- /dev/null
+++ b/.github/workflows/trivy-image-scan-test.yml
@@ -0,0 +1,6 @@
+on: [push]
+jobs:
+  test_build_docker:
+    uses: ./.github/workflows/trivy-image-scan.yml
+    with:
+      image: 'forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/build/test:latest'
diff --git a/.github/workflows/trivy-image-scan.yml b/.github/workflows/trivy-image-scan.yml
new file mode 100644
index 0000000..1dddf46
--- /dev/null
+++ b/.github/workflows/trivy-image-scan.yml
@@ -0,0 +1,23 @@
+name: Run Trivy Image Scanner
+
+on:
+  workflow_call:
+    inputs:
+      image:
+        description: 'The image to test'
+        required: true
+        type: string
+
+jobs:
+  build-go:
+    runs-on: docker
+    container:
+      image: forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/devfw-cicd/pipeline-container/trivy:0.56.2
+    steps:
+      - name: Clone Repository
+        uses: https://forgejo.edf-bootstrap.cx.fg1.ffm.osc.live/DevFW-CICD/checkout@main
+      - name: Run trivy image scan
+        run: |
+          set -e
+          TRIVY_INSECURE=true trivy image --scanners license,vuln,secret ${{ inputs.image }}
+          TRIVY_INSECURE=true trivy image --image-config-scanners secret,misconfig ${{ inputs.image }}
diff --git a/README.md b/README.md
index e69de29..666656d 100644
--- a/README.md
+++ b/README.md
@@ -0,0 +1,21 @@
+# Run Trivy Image Scanner GitHub Action
+
+This GitHub Action scans Docker images for vulnerabilities, secrets, licenses, and misconfigurations using [Trivy](https://github.com/aquasecurity/trivy).
+
+## Inputs
+
+| Input Name | Description           | Required | Type   |
+|------------|-----------------------|----------|--------|
+| `image`    | The Docker image to scan. | Yes      | string |
+
+## Usage
+
+This action can be used in other workflows with `workflow_call`. Here’s an example:
+
+```yaml
+jobs:
+  scan:
+    uses:DevFW-CICD/vulnerability-scan/.github/workflows/trivy-image-scan.yml@main
+    with:
+      image: 'my-registry.com/project/image:latest'
+```