From f04b0242c7f2e3f2f520c2b150c5aa576c77631c Mon Sep 17 00:00:00 2001
From: Z4ck404 <zakaria.elbazi@netapp.com>
Date: Wed, 4 Sep 2024 13:40:41 +0200
Subject: [PATCH] [.github] improve image scanning workflow with trivy and
 remove old workflows

---
 .github/workflows/image-scanning.yaml       | 26 ------
 .github/workflows/trivy-image-scanning.yaml | 90 +++++++++++++++++++++
 2 files changed, 90 insertions(+), 26 deletions(-)
 delete mode 100644 .github/workflows/image-scanning.yaml
 create mode 100644 .github/workflows/trivy-image-scanning.yaml

diff --git a/.github/workflows/image-scanning.yaml b/.github/workflows/image-scanning.yaml
deleted file mode 100644
index 838b6462e..000000000
--- a/.github/workflows/image-scanning.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-name: Scan DP images
-on:
-  schedule:
-  - cron: '0 0 * * 1'
-
-jobs:
-  trivy_scanning:
-    runs-on: self-hosted
-    name: Trivy scan
-    steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'public.ecr.aws/ocean-spark/spark-operator:ocean-spark'
-          format: 'sarif'
-          ignore-unfixed: true
-          vuln-type: 'os,library'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
-          security-checks: 'vuln'
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        if: always()
-        with:
-          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/trivy-image-scanning.yaml b/.github/workflows/trivy-image-scanning.yaml
new file mode 100644
index 000000000..966e27439
--- /dev/null
+++ b/.github/workflows/trivy-image-scanning.yaml
@@ -0,0 +1,90 @@
+name: Trivy image scanning
+on:
+  workflow_dispatch:
+  schedule:
+  - cron: '0 0 * * 1'
+
+env:
+  PUBLIC_ECR: public.ecr.aws/ocean-spark
+  IMAGE_NAME: spark-operator
+  IMAGE_TAG: main
+
+jobs:
+  public-ecr-scan:
+    runs-on: ubuntu-latest
+    name: scan
+    steps:
+      - name: trivy scan for github security tab
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: '${{ env.PUBLIC_ECR }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}'
+          format: 'sarif'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          output: 'trivy-results-public.sarif'
+          timeout: 30m0s
+
+      - name: Check for HIGH or CRITICAL vulnerabilities
+        id: check-vuln
+        run: |
+          if grep -q 'CRITICAL\|HIGH' trivy-results-public.sarif; then
+            echo "::set-output name=highOrCriticalFound::true"
+            echo "High or Critical vulnerabilities found, creating JIRA ticket"
+          else
+            echo "::set-output name=highOrCriticalFound::false"
+            echo "No High or Critical vulnerabilities found, skipping JIRA ticket creation"
+          fi
+
+      - name: Login
+        if: steps.check-vuln.outputs.highOrCriticalFound == 'true'
+        uses: atlassian/gajira-login@v3
+        env:
+          JIRA_BASE_URL: "https://spotinst.atlassian.net"
+          JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
+          JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+
+      - name: trivy scan for jira tracking
+        if: steps.check-vuln.outputs.highOrCriticalFound == 'true'
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: '${{ env.PUBLIC_ECR }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}'
+          format: template
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          template: "@/contrib/html.tpl"
+          output:  trivy-report.html
+          timeout: 30m0s
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results-public.sarif'
+
+      - name: Get current date
+        if: steps.check-vuln.outputs.highOrCriticalFound == 'true'
+        id: date
+        run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
+
+      - name: Create JIRA ticket
+        if: steps.check-vuln.outputs.highOrCriticalFound == 'true'
+        id: jira-ticket
+        uses: atlassian/gajira-create@v3
+        with:
+          project: BGD
+          issuetype: Task
+          summary: |
+            [Scan of ${{ steps.date.outputs.date }}] fix vulnerabilities discovered in ${{ env.IMAGE_NAME }}.
+          fields: '{"customfield_10028": "Fix issues in ${{ env.IMAGE_NAME }} image, see report attached for more details", "customfield_10026": "Updated version of ${{ env.IMAGE_NAME }} image", "labels":["INFRASTRUCTURE","VULNERABILITIES","DEVOPS"]}'
+
+      - name: Attach Trivy scan html results to JIRA ticket
+        if: steps.check-vuln.outputs.highOrCriticalFound == 'true'
+        env:
+          JIRA_API_URL: "https://spotinst.atlassian.net/rest/api/3/issue/${{ steps.jira-ticket.outputs.issue }}/attachments"
+          JIRA_ENCODED_API_TOKEN: ${{ secrets.JIRA_ENCODED_API_TOKEN }}
+        run: |
+          curl -X POST $JIRA_API_URL \
+          -H 'Authorization: Basic ${{ secrets.JIRA_ENCODED_API_TOKEN }}' \
+          -H 'X-Atlassian-Token: no-check' \
+          -H 'Accept: application/json'  \
+          --form 'file=@trivy-report.html'
\ No newline at end of file