From 1ca34a48bd05b9676e4e0b016e4042d63ac9285c Mon Sep 17 00:00:00 2001
From: Chris Bono <cbono@vmware.com>
Date: Fri, 16 Feb 2024 15:26:20 -0600
Subject: [PATCH] [feat][ci] Add Trivy container scan Github workflow

This commit introduces a Github Actions workflow that runs a Trivy
container scan on the following Docker containers:

- apachepulsar/pulsar:3.2.0
- apachepulsar/pulsar-all:3.2.0

The workflow runs daily @ 0800 UTC and if it finds any vulnerabilities
of HIGH or CRITICAL severity it sends an email including the report
to the Pulsar DEV mailing list as well as upload the report to the
workflow run in Github.
---
 .../workflows/ci-trivy-container-scan.yaml    | 92 +++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100644 .github/workflows/ci-trivy-container-scan.yaml

diff --git a/.github/workflows/ci-trivy-container-scan.yaml b/.github/workflows/ci-trivy-container-scan.yaml
new file mode 100644
index 0000000000000..f1a7a52f2f3cf
--- /dev/null
+++ b/.github/workflows/ci-trivy-container-scan.yaml
@@ -0,0 +1,92 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+name: CI - Trivy Container Scan
+on:
+  schedule:
+    - cron: '0 8 * * *' # Every day at 8am UTC
+  workflow_dispatch:
+    inputs:
+      report-format:
+        description: 'Format of the report'
+        type: choice
+        default: table
+        options:
+          - table
+          - json
+          - sarif
+      severity:
+        description: "Severities to include (comma-separated or 'ALL' to include all)"
+        required: false
+        default: 'CRITICAL,HIGH'
+
+jobs:
+  container_scan:
+    if: ${{ github.repository == 'apache/pulsar' }}
+    name: Trivy Docker image vulnerability scan
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        docker-image:
+          - 'apachepulsar/pulsar'
+          - 'apachepulsar/pulsar-all'
+        docker-tag:
+          - '3.2.0'
+    env:
+      IMAGE_REF: '${{ matrix.docker-image }}:${{ matrix.docker-tag }}'
+    steps:
+      - id: prepare-vars
+        shell: bash
+        run: |
+          IMAGE_REF_CLEAN="$(echo $IMAGE_REF | sed 's/-/_/g; s/\./_/g; s/:/_/g; s/\//_/g')"
+          echo "image_ref_clean=$IMAGE_REF_CLEAN" >> "$GITHUB_OUTPUT"
+          echo "report_filename=trivy-scan-$IMAGE_REF_CLEAN.${{ inputs.report-format }}" >> "$GITHUB_OUTPUT"
+      - name: Run Trivy container scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.IMAGE_REF }}
+          scanners: vuln
+          severity: ${{ inputs.severity != 'ALL' && inputs.severity ||  'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'  }}
+          limit-severities-for-sarif: true
+          format: ${{ inputs.report-format }}
+          output: ${{ steps.prepare-vars.outputs.report_filename }}
+          exit-code: 1
+      - name: Email Trivy container scan report
+        uses: dawidd6/action-send-mail@v3
+        if: ${{ failure() }}
+        with:
+          server_address: smtp.gmail.com
+          server_port: 465
+          secure: true
+          username: ${{secrets.TRIVY_SCAN_MAIL_USERNAME}}
+          password: ${{secrets.TRIVY_SCAN_MAIL_PASSWORD}}
+          subject: Trivy container scan results for ${{ env.IMAGE_REF }}
+          to: dev@pulsar.apache.org
+          from: Github Trivy Container Scanner
+          body: Trivy reported vulnerabilities (${{ inputs.severity }}) for ${{ env.IMAGE_REF }}
+          ignore_cert: true
+          attachments: '${{ github.workspace }}/${{ steps.prepare-vars.outputs.report_filename }}'
+      - name: Upload Trivy container scan report
+        uses: actions/upload-artifact@v4
+        if: ${{ failure() }}
+        with:
+          name: trivy-vuln-report-${{ steps.prepare-vars.outputs.image_ref_clean }}
+          path: '${{ github.workspace }}/${{ steps.prepare-vars.outputs.report_filename }}'
+          retention-days: 15