From 1ca34a48bd05b9676e4e0b016e4042d63ac9285c Mon Sep 17 00:00:00 2001
From: Chris Bono <cbono@vmware.com>
Date: Fri, 16 Feb 2024 15:26:20 -0600
Subject: [PATCH 1/5] [feat][ci] Add Trivy container scan Github workflow

This commit introduces a Github Actions workflow that runs a Trivy
container scan on the following Docker containers:

- apachepulsar/pulsar:3.2.0
- apachepulsar/pulsar-all:3.2.0

The workflow runs daily @ 0800 UTC and if it finds any vulnerabilities
of HIGH or CRITICAL severity it sends an email including the report
to the Pulsar DEV mailing list as well as upload the report to the
workflow run in Github.
---
 .../workflows/ci-trivy-container-scan.yaml    | 92 +++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100644 .github/workflows/ci-trivy-container-scan.yaml

diff --git a/.github/workflows/ci-trivy-container-scan.yaml b/.github/workflows/ci-trivy-container-scan.yaml
new file mode 100644
index 0000000000000..f1a7a52f2f3cf
--- /dev/null
+++ b/.github/workflows/ci-trivy-container-scan.yaml
@@ -0,0 +1,92 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+name: CI - Trivy Container Scan
+on:
+  schedule:
+    - cron: '0 8 * * *' # Every day at 8am UTC
+  workflow_dispatch:
+    inputs:
+      report-format:
+        description: 'Format of the report'
+        type: choice
+        default: table
+        options:
+          - table
+          - json
+          - sarif
+      severity:
+        description: "Severities to include (comma-separated or 'ALL' to include all)"
+        required: false
+        default: 'CRITICAL,HIGH'
+
+jobs:
+  container_scan:
+    if: ${{ github.repository == 'apache/pulsar' }}
+    name: Trivy Docker image vulnerability scan
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        docker-image:
+          - 'apachepulsar/pulsar'
+          - 'apachepulsar/pulsar-all'
+        docker-tag:
+          - '3.2.0'
+    env:
+      IMAGE_REF: '${{ matrix.docker-image }}:${{ matrix.docker-tag }}'
+    steps:
+      - id: prepare-vars
+        shell: bash
+        run: |
+          IMAGE_REF_CLEAN="$(echo $IMAGE_REF | sed 's/-/_/g; s/\./_/g; s/:/_/g; s/\//_/g')"
+          echo "image_ref_clean=$IMAGE_REF_CLEAN" >> "$GITHUB_OUTPUT"
+          echo "report_filename=trivy-scan-$IMAGE_REF_CLEAN.${{ inputs.report-format }}" >> "$GITHUB_OUTPUT"
+      - name: Run Trivy container scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.IMAGE_REF }}
+          scanners: vuln
+          severity: ${{ inputs.severity != 'ALL' && inputs.severity ||  'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'  }}
+          limit-severities-for-sarif: true
+          format: ${{ inputs.report-format }}
+          output: ${{ steps.prepare-vars.outputs.report_filename }}
+          exit-code: 1
+      - name: Email Trivy container scan report
+        uses: dawidd6/action-send-mail@v3
+        if: ${{ failure() }}
+        with:
+          server_address: smtp.gmail.com
+          server_port: 465
+          secure: true
+          username: ${{secrets.TRIVY_SCAN_MAIL_USERNAME}}
+          password: ${{secrets.TRIVY_SCAN_MAIL_PASSWORD}}
+          subject: Trivy container scan results for ${{ env.IMAGE_REF }}
+          to: dev@pulsar.apache.org
+          from: Github Trivy Container Scanner
+          body: Trivy reported vulnerabilities (${{ inputs.severity }}) for ${{ env.IMAGE_REF }}
+          ignore_cert: true
+          attachments: '${{ github.workspace }}/${{ steps.prepare-vars.outputs.report_filename }}'
+      - name: Upload Trivy container scan report
+        uses: actions/upload-artifact@v4
+        if: ${{ failure() }}
+        with:
+          name: trivy-vuln-report-${{ steps.prepare-vars.outputs.image_ref_clean }}
+          path: '${{ github.workspace }}/${{ steps.prepare-vars.outputs.report_filename }}'
+          retention-days: 15

From 9199bfbe13446ebf637835d7cb8a1d0097d49d60 Mon Sep 17 00:00:00 2001
From: Chris Bono <cbono@vmware.com>
Date: Wed, 28 Feb 2024 20:26:51 -0600
Subject: [PATCH 2/5] Add step to upload Sarif report to Github security tab

---
 .github/workflows/ci-trivy-container-scan.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/ci-trivy-container-scan.yaml b/.github/workflows/ci-trivy-container-scan.yaml
index f1a7a52f2f3cf..48d557ddbeec9 100644
--- a/.github/workflows/ci-trivy-container-scan.yaml
+++ b/.github/workflows/ci-trivy-container-scan.yaml
@@ -90,3 +90,8 @@ jobs:
           name: trivy-vuln-report-${{ steps.prepare-vars.outputs.image_ref_clean }}
           path: '${{ github.workspace }}/${{ steps.prepare-vars.outputs.report_filename }}'
           retention-days: 15
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: ${{ failure() && inputs.report-format == 'sarif' }}
+        with:
+          sarif_file: '${{ github.workspace }}/${{ steps.prepare-vars.outputs.report_filename }}'

From bf48d9722faee9d73414f5c5a607f7507f4ca26f Mon Sep 17 00:00:00 2001
From: Chris Bono <cbono@vmware.com>
Date: Thu, 28 Mar 2024 11:09:26 -0500
Subject: [PATCH 3/5] Simplified workflow

- removed email
- removed choice of report format
---
 .../workflows/ci-trivy-container-scan.yaml    | 32 ++++---------------
 1 file changed, 6 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/ci-trivy-container-scan.yaml b/.github/workflows/ci-trivy-container-scan.yaml
index 48d557ddbeec9..ece97b1dea76b 100644
--- a/.github/workflows/ci-trivy-container-scan.yaml
+++ b/.github/workflows/ci-trivy-container-scan.yaml
@@ -23,14 +23,6 @@ on:
     - cron: '0 8 * * *' # Every day at 8am UTC
   workflow_dispatch:
     inputs:
-      report-format:
-        description: 'Format of the report'
-        type: choice
-        default: table
-        options:
-          - table
-          - json
-          - sarif
       severity:
         description: "Severities to include (comma-separated or 'ALL' to include all)"
         required: false
@@ -48,7 +40,7 @@ jobs:
           - 'apachepulsar/pulsar'
           - 'apachepulsar/pulsar-all'
         docker-tag:
-          - '3.2.0'
+          - '3.2.1'
     env:
       IMAGE_REF: '${{ matrix.docker-image }}:${{ matrix.docker-tag }}'
     steps:
@@ -58,6 +50,7 @@ jobs:
           IMAGE_REF_CLEAN="$(echo $IMAGE_REF | sed 's/-/_/g; s/\./_/g; s/:/_/g; s/\//_/g')"
           echo "image_ref_clean=$IMAGE_REF_CLEAN" >> "$GITHUB_OUTPUT"
           echo "report_filename=trivy-scan-$IMAGE_REF_CLEAN.${{ inputs.report-format }}" >> "$GITHUB_OUTPUT"
+
       - name: Run Trivy container scan
         uses: aquasecurity/trivy-action@master
         with:
@@ -65,24 +58,10 @@ jobs:
           scanners: vuln
           severity: ${{ inputs.severity != 'ALL' && inputs.severity ||  'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'  }}
           limit-severities-for-sarif: true
-          format: ${{ inputs.report-format }}
+          format: 'sarif'
           output: ${{ steps.prepare-vars.outputs.report_filename }}
           exit-code: 1
-      - name: Email Trivy container scan report
-        uses: dawidd6/action-send-mail@v3
-        if: ${{ failure() }}
-        with:
-          server_address: smtp.gmail.com
-          server_port: 465
-          secure: true
-          username: ${{secrets.TRIVY_SCAN_MAIL_USERNAME}}
-          password: ${{secrets.TRIVY_SCAN_MAIL_PASSWORD}}
-          subject: Trivy container scan results for ${{ env.IMAGE_REF }}
-          to: dev@pulsar.apache.org
-          from: Github Trivy Container Scanner
-          body: Trivy reported vulnerabilities (${{ inputs.severity }}) for ${{ env.IMAGE_REF }}
-          ignore_cert: true
-          attachments: '${{ github.workspace }}/${{ steps.prepare-vars.outputs.report_filename }}'
+
       - name: Upload Trivy container scan report
         uses: actions/upload-artifact@v4
         if: ${{ failure() }}
@@ -90,8 +69,9 @@ jobs:
           name: trivy-vuln-report-${{ steps.prepare-vars.outputs.image_ref_clean }}
           path: '${{ github.workspace }}/${{ steps.prepare-vars.outputs.report_filename }}'
           retention-days: 15
+
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
-        if: ${{ failure() && inputs.report-format == 'sarif' }}
+        if: ${{ failure() }}
         with:
           sarif_file: '${{ github.workspace }}/${{ steps.prepare-vars.outputs.report_filename }}'

From f0c61fd2b7845e54a64786eac1782bc6472c135f Mon Sep 17 00:00:00 2001
From: Chris Bono <cbono@vmware.com>
Date: Thu, 28 Mar 2024 11:11:10 -0500
Subject: [PATCH 4/5] Simplified workflow

- removed upload report step
---
 .github/workflows/ci-trivy-container-scan.yaml | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/.github/workflows/ci-trivy-container-scan.yaml b/.github/workflows/ci-trivy-container-scan.yaml
index ece97b1dea76b..8288d8055bf04 100644
--- a/.github/workflows/ci-trivy-container-scan.yaml
+++ b/.github/workflows/ci-trivy-container-scan.yaml
@@ -50,7 +50,6 @@ jobs:
           IMAGE_REF_CLEAN="$(echo $IMAGE_REF | sed 's/-/_/g; s/\./_/g; s/:/_/g; s/\//_/g')"
           echo "image_ref_clean=$IMAGE_REF_CLEAN" >> "$GITHUB_OUTPUT"
           echo "report_filename=trivy-scan-$IMAGE_REF_CLEAN.${{ inputs.report-format }}" >> "$GITHUB_OUTPUT"
-
       - name: Run Trivy container scan
         uses: aquasecurity/trivy-action@master
         with:
@@ -61,15 +60,6 @@ jobs:
           format: 'sarif'
           output: ${{ steps.prepare-vars.outputs.report_filename }}
           exit-code: 1
-
-      - name: Upload Trivy container scan report
-        uses: actions/upload-artifact@v4
-        if: ${{ failure() }}
-        with:
-          name: trivy-vuln-report-${{ steps.prepare-vars.outputs.image_ref_clean }}
-          path: '${{ github.workspace }}/${{ steps.prepare-vars.outputs.report_filename }}'
-          retention-days: 15
-
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         if: ${{ failure() }}

From 6588078e50e4c2264c2ff02ac986831a876c065d Mon Sep 17 00:00:00 2001
From: Chris Bono <cbono@vmware.com>
Date: Thu, 28 Mar 2024 11:29:30 -0500
Subject: [PATCH 5/5] Dropped pulsar-all and use tag 'latest'

---
 .github/workflows/ci-trivy-container-scan.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/ci-trivy-container-scan.yaml b/.github/workflows/ci-trivy-container-scan.yaml
index 8288d8055bf04..47ebe654369d5 100644
--- a/.github/workflows/ci-trivy-container-scan.yaml
+++ b/.github/workflows/ci-trivy-container-scan.yaml
@@ -38,9 +38,8 @@ jobs:
       matrix:
         docker-image:
           - 'apachepulsar/pulsar'
-          - 'apachepulsar/pulsar-all'
         docker-tag:
-          - '3.2.1'
+          - 'latest'
     env:
       IMAGE_REF: '${{ matrix.docker-image }}:${{ matrix.docker-tag }}'
     steps: