From 3c6f85c282c53fbd264d03013bae3652b4a63421 Mon Sep 17 00:00:00 2001
From: Joe Previte <jjprevite@gmail.com>
Date: Fri, 4 Mar 2022 15:59:29 -0700
Subject: [PATCH] fix: re-enable trivvy docker scan (#4943)

* fix: re-enable trivvy docker scan

* wip

* fixup

* fixup

* fixup
---
 .github/workflows/ci.yaml           |  1 -
 .github/workflows/trivy-docker.yaml | 65 +++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/trivy-docker.yaml

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 81e0330ad..22ebdc2d2 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -464,7 +464,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
       - name: Run Trivy vulnerability scanner in repo mode
-        #Commit SHA for v0.0.17
         uses: aquasecurity/trivy-action@296212627a1e693efa09c00adc3e03b2ba8edf18
         with:
           scan-type: "fs"
diff --git a/.github/workflows/trivy-docker.yaml b/.github/workflows/trivy-docker.yaml
new file mode 100644
index 000000000..ae5c26665
--- /dev/null
+++ b/.github/workflows/trivy-docker.yaml
@@ -0,0 +1,65 @@
+name: Trivy Nightly Docker Scan
+
+on:
+  # Run scans if the workflow is modified, in order to test the
+  # workflow itself. This results in some spurious notifications,
+  # but seems okay for testing.
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/trivy-docker.yaml
+
+  # Run scans against master whenever changes are merged.
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/trivy-docker.yaml
+
+  schedule:
+    # Run at 10:15 am UTC (3:15am PT/5:15am CT)
+    # Run at 0 minutes 0 hours of every day.
+    - cron: "15 10 * * *"
+
+  workflow_dispatch:
+
+permissions:
+  actions: none
+  checks: none
+  contents: read
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes, and serialize builds in branches.
+# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  trivy-scan-image:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in image mode
+        uses: aquasecurity/trivy-action@296212627a1e693efa09c00adc3e03b2ba8edf18
+        with:
+          image-ref: "docker.io/codercom/code-server:latest"
+          ignore-unfixed: true
+          format: "sarif"
+          output: "trivy-image-results.sarif"
+          severity: "HIGH,CRITICAL"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: "trivy-image-results.sarif"