Time Series Analytics: Fixed Trivy scans across filesystem, image, Dockerfile and Helm config (#373)

Updated the Time Series Analytics GitHub Actions workflow to standardize and fix Trivy scans across filesystem, image, and Helm config, and removes the old Zizmor scan job.

Renamed the workflow to reflect Trivy scans and removed the Zizmor job
Installed and configured Trivy via the Aqua Security APT repo
Added full filesystem package reports, Helm config scans, and a Dockerfile composite job

Signed-off-by: Vellaisamy, Sathyendran <sathyendran.vellaisamy@intel.com>

Author: sathyendranv

.github/workflows/timeseries-scans.yml

@@ -2,8 +2,8 @@
 # SPDX-FileCopyrightText: (C) 2025 Intel Corporation
 # SPDX-License-Identifier: Apache-2.0
 
-name: "[Time Series Analytics] PR Scans"
-run-name: "[Time Series Analytics] PR  workflow (by @${{ github.actor }} via ${{ github.event_name }})"
+name: "[Time Series Analytics] Trivy filesystem, image and config scans"
+run-name: "[Time Series Analytics] Trivy filesystem, image and config scans workflow (by @${{ github.actor }} via ${{ github.event_name }})"
 
 
 # Only run at most 1 workflow concurrently per PR, unlimited for branches
@@ -18,33 +18,7 @@ on:
     paths:
       - 'microservices/time-series-analytics/**'
 
-jobs:
-  zizmor-workflow-scan:
-    runs-on: ubuntu-22.04-32core-128GB  
-    permissions:
-      contents: read
-    env:
-      ZIZMOR_VERSION: 1.5.2
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-          
-      - name: Install uv
-        uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb
-        
-      - name: Run Zizmor Workflow Security Scan
-        continue-on-error: true
-        run: uvx zizmor=="$ZIZMOR_VERSION" "$GITHUB_WORKSPACE" --no-exit-codes > zizmor_workflow_scan_report.txt
-          
-      - name: Upload Zizmor Scan Report
-        uses: actions/upload-artifact@v4
-        if: always()
-        with:
-          name: zizmor-workflow-security-report
-          path: zizmor_workflow_scan_report.txt
-    
+jobs:   
   trivy-scan-job:
     permissions:
       contents: read
@@ -54,7 +28,16 @@ jobs:
         uses: actions/checkout@v4
         with:
           persist-credentials: false  
-      - name: trivy repo scan
+      - name: Install Trivy from Aqua Security APT repo
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gnupg lsb-release wget apt-transport-https curl jq
+          curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo gpg --dearmor -o /usr/share/keyrings/trivy.gpg
+          echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main" | \
+          sudo tee /etc/apt/sources.list.d/trivy.list > /dev/null
+          sudo apt-get update
+          sudo apt-get install -y trivy
+      - name: Trivy filesystem/repo scan
         continue-on-error: true
         shell: bash
         run: |
@@ -65,37 +48,66 @@ jobs:
           trivy image --download-db-only
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl -o trivy-html.tpl
           # Use the downloaded template
-          trivy fs . --format template --template "@trivy-html.tpl" -o "trivy_fs_code_scan.html"   
+          trivy fs . --format template --template "@trivy-html.tpl" -o "trivy_fs_code_scan.html" 
+          trivy fs --list-all-pkgs --format template --template "@trivy-html.tpl" --output trivy-fs-full-report.csv .
+          trivy fs --ignore-unfixed . | tee trivy-fs-full-report.txt  
       
-      - name: Upload trivy reports
+      - name: Upload trivy filesystem/repo scan reports
         continue-on-error: true
         uses: actions/upload-artifact@v4
         if: always()
         with:
-          name: trivy-code-scan-results-core
+          name: Trivy FileSystem scan report
           path: |
               microservices/time-series-analytics/trivy_fs_code_scan.html
+              microservices/time-series-analytics/trivy-fs-full-report.csv
+              microservices/time-series-analytics/trivy-fs-full-report.txt
       
       - name: Trivy Image Scan
         continue-on-error: true
         shell: bash
         run: |
               pwd
-              curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl -o trivy-html.tpl
               echo "Building Time Series Analytics scanning"
               cd microservices/time-series-analytics/docker
               sed -i -e "s|TIME_SERIES_ANALYTICS_IMAGE=.*|TIME_SERIES_ANALYTICS_IMAGE=ia-time-series-analytics-microservice:latest|g" .env
               docker compose build
+              curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl -o trivy-html.tpl
               trivy image ia-time-series-analytics-microservice:latest --ignore-unfixed --format template --template "@trivy-html.tpl" -o trivy_image_scan.html
               trivy image --quiet --format spdx-json --output trivy_image_scan.spdx.json ia-time-series-analytics-microservice:latest
               echo "completed Time Series Analytics scanning"
             
-      - name: Upload Trivy Image Report
+      - name: Upload Trivy Image Scan Report
         continue-on-error: true
         if: always()
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
-          name: Trivy image scan report-core
+          name: Trivy image scan report
           path: |
-                microservices/time-series-analytics/trivy_image_scan.html
-                microservices/time-series-analytics/trivy_image_scan.spdx.json
+                microservices/time-series-analytics/docker/trivy_image_scan.html
+                microservices/time-series-analytics/docker/trivy_image_scan.spdx.json
+
+      - name: Trivy config scan for helm charts 
+        run: |
+          cd microservices/time-series-analytics/helm
+          trivy config . >> trivy_helm.txt
+          
+      - name: Upload Scan artifact to Github
+        uses: actions/upload-artifact@v4
+        with:
+          name: Trivy Config Scan for Helm
+          path: microservices/time-series-analytics/helm/trivy_*
+      
+  trivy-config-dockerfile-scan:
+    permissions:
+      contents: read
+    name: Scan Dockerfile
+    strategy:
+      fail-fast: false
+    uses: ./.github/workflows/trivy-config-mode.yaml
+    with:
+      dockerfile-path: microservices/time-series-analytics/Dockerfile
+      trivy-report-format: 'json'
+      severity-levels: 'HIGH,CRITICAL'
+      output-report-path: trivy-dockerfile.json
+      name: Time Series Dockerfile

microservices/time-series-analytics/config.json

@@ -11,4 +11,4 @@
             }
         }
     }
-}
+}