Merge pull request #33 from IABTechLab/tjm-UID2-2343-add-trivy-scanning-action

UID2-2343 Add Trivy scanning action

Author: thomasm-ttd

.github/workflows/shared-build-and-test.yaml

@@ -35,30 +35,9 @@ jobs:
           name: code-coverage-report
           path: target/site/jacoco/*
 
-      - name: Generate Trivy vulnerability scan report
-        uses: aquasecurity/[email protected]
-        if: inputs.publish_vulnerabilities == 'true'
+      - name: Vulnerability Scan
+        uses: IABTechLab/uid2-shared-actions/actions/[email protected]
         with:
-          scan-type: 'fs'
-          format: 'sarif'
-          exit-code: '0'
-          ignore-unfixed: true
-          severity: 'CRITICAL,HIGH'
-          output: 'trivy-results.sarif'
-          hide-progress: true
-
-      - name: Upload Trivy scan report to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        if: inputs.publish_vulnerabilities == 'true'
-        with:
-          sarif_file: 'trivy-results.sarif'
-
-      - name: Test with Trivy vulnerability scanner
-        uses: aquasecurity/[email protected]
-        with:
-          scan-type: 'fs'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          severity: 'CRITICAL'
-          hide-progress: true
+          scan_severity: HIGH,CRITICAL
+          failure_severity: CRITICAL
+          publish_vulnerabilities: ${{ inputs.publish_vulnerabilities }}

.github/workflows/shared-java-publish-versioned-package.yaml

@@ -56,33 +56,11 @@ jobs:
         with:
           key: ${{ secrets.GPG_KEY }}
 
-      - name: Generate Trivy vulnerability scan report
-        uses: aquasecurity/[email protected]
-        if: inputs.publish_vulnerabilities == 'true'
+      - name: Vulnerability Scan
+        uses: IABTechLab/uid2-shared-actions/actions/[email protected]
         with:
-          scan-type: 'fs'
-          format: 'sarif'
-          exit-code: '0'
-          ignore-unfixed: true
-          severity: 'CRITICAL,HIGH'
-          output: 'trivy-results.sarif'
-          hide-progress: true
-
-      - name: Upload Trivy scan report to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        if: inputs.publish_vulnerabilities == 'true'
-        with:
-          sarif_file: 'trivy-results.sarif'
-
-      - name: Test with Trivy vulnerability scanner
-        uses: aquasecurity/[email protected]
-        with:
-          scan-type: 'fs'
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          severity: 'CRITICAL'
-          hide-progress: true
+          scan_severity: HIGH,CRITICAL
+          failure_severity: CRITICAL
 
       - name: Set version number
         id: version

.github/workflows/shared-release-major-minor-patch.yaml

@@ -3,9 +3,9 @@ on:
   workflow_call:
     inputs:
       failure_severity:
-        description: 'Must be one of CRITICAL, HIGH, MEDIUM'
+        description: 'Must be any of, or more than one of CRITICAL,HIGH,MEDIUM'
         required: false
-        default: 'HIGH'
+        default: 'HIGH,CRITICAL'
         type: string
       fail_on_error:
         description: 'If true, will fail the build if vulnerabilities are found'

.github/workflows/shared-validate-image.yaml

@@ -0,0 +1,45 @@
+name: Vulnerability Scanning
+description: Scans the file system for vulnerabilities
+inputs:
+  scan_severity:
+    description: 'The severity that will cause the action to report if a vulnerability at that level is detected. UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
+    required: false
+    default: 'CRITICAL,HIGH'
+  failure_severity:
+    description: 'The severity that will cause the action to fail if a vulnerability at that level is detected. UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
+    required: false
+    default: 'CRITICAL'
+  publish_vulnerabilities:
+    description: 'If true, will attempt to publish the results to the GitHub security tab'
+    required: false
+    default: 'true'
+runs:
+  using: "composite"
+  steps:
+  - name: Generate Trivy vulnerability scan report
+    uses: aquasecurity/[email protected]
+    if: inputs.publish_vulnerabilities == 'true'
+    with:
+      scan-type: 'fs'
+      format: 'sarif'
+      exit-code: '0'
+      ignore-unfixed: true
+      severity: ${{ inputs.scan_severity }}
+      output: 'trivy-results.sarif'
+      hide-progress: true
+
+  - name: Upload Trivy scan report to GitHub Security tab
+    uses: github/codeql-action/upload-sarif@v2
+    if: inputs.publish_vulnerabilities == 'true'
+    with:
+      sarif_file: 'trivy-results.sarif'
+
+  - name: Test with Trivy vulnerability scanner
+    uses: aquasecurity/[email protected]
+    with:
+      scan-type: 'fs'
+      format: 'table'
+      exit-code: '1'
+      ignore-unfixed: true
+      severity: ${{ inputs.failure_severity }}
+      hide-progress: true