.github/workflows/scan.yml

name: Scan

on:
  schedule:
    - cron: "0 6 * * *" # Every day at 8am
  # Allow to run this workflow manually
  workflow_dispatch:

env:
  CONTAINER_REGISTRY: ghcr.io
  CONTAINER_IMAGE_NAME: ${{ github.repository }}
  CONTAINER_IMAGE_VERSION: ${{ github.sha }}

jobs:
  reset-trivy-cache:
    runs-on: ubuntu-latest
    steps:
      - name: Remove all caches and database of the trivy scanner
        uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
        env:
          TRIVY_RESET: true
          TRIVY_DEBUG: true
        with:
          scan-type: "image"
      - name: Download trivy vulnerabilities DB
        uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
        env:
          TRIVY_DEBUG: true
          TRIVY_DOWNLOAD_DB_ONLY: true
        with:
          scan-type: "image"
      - name: Download trivy Java index DB
        uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
        env:
          TRIVY_DEBUG: true
          TRIVY_DOWNLOAD_JAVA_DB_ONLY: true
        with:
          scan-type: "image"
  vulnerability-scan-backend:
    runs-on: ubuntu-latest
    needs: reset-trivy-cache
    permissions:
      contents: read
      id-token: write # for cosign w/ keyless signing
      packages: write # for updating cosign attestation
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - name: Run Trivy vulnerability scanner
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
        env:
          TRIVY_USERNAME: ${{ github.actor }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
        with:
          image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH"
          exit-code: "1" # Fail the build!
      - name: Check trivy results
        run: |
          if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
            echo "Vulnerabilities found"
            exit 1
          else
            echo "No significant vulnerabilities found"
            exit 0
          fi
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
        with:
          sarif_file: "trivy-results.sarif"
      - name: Generate cosign vulnerability scan record
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
        env:
          TRIVY_USERNAME: ${{ github.actor }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
        with:
          image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
          format: "cosign-vuln"
          output: "vuln-backend.json"
      - name: Install cosign
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: sigstore/cosign-installer@9c520b997e685cb69e1ac226f7dce8114e8f36df
      - name: Log into container registry
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
        with:
          registry: ${{ env.CONTAINER_REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Attest vulnerability scan
        run: cosign attest --yes --replace --predicate vuln-backend.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
        env:
          COSIGN_EXPERIMENTAL: "true"
      - name: Send status to Slack
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
        if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }}
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
        with:
          type: ${{ job.status }}
          job_name: "Vulnerability scan backend :point_right:"
          mention: "here"
          mention_if: "failure"
          commit: true
          url: ${{ secrets.SLACK_WEBHOOK_URL }}
          token: ${{ secrets.GITHUB_TOKEN }}

  vulnerability-scan-frontend:
    runs-on: ubuntu-latest
    needs: reset-trivy-cache
    permissions:
      contents: read
      id-token: write # for cosign w/ keyless signing
      packages: write # for updating cosign attestation
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - name: Run Trivy vulnerability image scanner
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
        with:
          image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH"
          exit-code: "1" # Fail the build!
      - name: Check trivy results
        run: |
          if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
            echo "Vulnerabilities found"
            exit 1
          else
            echo "No significant vulnerabilities found"
            exit 0
          fi
      - name: Upload Trivy image scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
        with:
          sarif_file: "trivy-results.sarif"
          category: trivy-image-scan
      - name: Run Trivy vulnerability file scanner
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
        with:
          scan-type: "fs"
          scan-ref: "./frontend"
          skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH"
          exit-code: "1" # Fail the build!
      - name: Check trivy results
        run: |
          if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
            echo "Vulnerabilities found"
            exit 1
          else
            echo "No significant vulnerabilities found"
            exit 0
          fi
      - name: Upload Trivy file scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
        with:
          sarif_file: "trivy-results.sarif"
          category: trivy-fs-scan
      - name: Generate cosign vulnerability scan record
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4
        env:
          TRIVY_USERNAME: ${{ github.actor }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
        with:
          image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
          format: "cosign-vuln"
          output: "vuln-frontend.json"
      - name: Install cosign
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: sigstore/cosign-installer@9c520b997e685cb69e1ac226f7dce8114e8f36df
      - name: Log into container registry
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
        with:
          registry: ${{ env.CONTAINER_REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Attest vulnerability scan
        run: cosign attest --yes --replace --predicate vuln-frontend.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}/frontend:${{ env.CONTAINER_IMAGE_VERSION }}
        env:
          COSIGN_EXPERIMENTAL: "true"
      - name: Send status to Slack
        # Third-party action, pin to commit SHA!
        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
        uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
        if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }}
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
        with:
          type: ${{ job.status }}
          job_name: "Vulnerability scan frontend :point_right:"
          mention: "here"
          mention_if: "failure"
          commit: true
          url: ${{ secrets.SLACK_WEBHOOK_URL }}
          token: ${{ secrets.GITHUB_TOKEN }}