.github/workflows/trivy.yml

name: Trivy

on:
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:
    inputs:
      branch:
        description: 'branch to run scans on'
        default: 'main'
        type: string  


env:
  BUILD_TYPE: Release
  MTL_BUILD_DISABLE_PCAPNG: true
  PREFIX_DIR: /usr/local
  DEBIAN_FRONTEND: noninteractive
permissions:
  contents: read

jobs:
  trivy:
    name: Build
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
        with:
          ref: ${{ inputs.branch }}
      - name: 'Install dependencies'
        run: |
          sudo apt-get update -y && \
          sudo apt-get install -y --no-install-recommends \
              git build-essential meson python3 python3-pyelftools pkg-config \
              libnuma-dev libjson-c-dev libpcap-dev libgtest-dev libsdl2-dev \
              libsdl2-ttf-dev libssl-dev ca-certificates m4 clang llvm zlib1g-dev \
              libelf-dev libcap-ng-dev libcap2-bin gcc-multilib systemtap-sdt-dev ninja-build \
              nasm dpdk-dev librdmacm-dev && \
          sudo apt-get clean && \
          sudo rm -rf /var/lib/apt/lists/*
          
      - name: Build an image from Dockerfile
        run: |
          cd docker
          docker build -t mtl:latest -f ubuntu.dockerfile ../

      - name: Run Trivy vulnerability scanner with sarif output
        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
        with:
          image-ref: 'mtl:latest'
          format: 'sarif'
          exit-code: '0'
          ignore-unfixed: true
          vuln-type: 'os,library'
          output: 'Trivy-image-scan-results.sarif'
      - name: Upload Trivy scan results to GitHub Security tab
        if: always()
        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
        with:
          sarif_file: 'Trivy-image-scan-results.sarif'
      - name: Run Trivy vulnerability scanner with with table output
        if: always()
        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
        with:
          image-ref: 'mtl:latest'
          format: 'sarif'
          scanners: 'vuln,secret,misconfig'
          exit-code: '1'
          output: 'Trivy-image-scan-results.sarif'
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
        with:
          sarif_file: 'Trivy-image-scan-results.sarif'
      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
        with:
          name: trivy-results
          path: 'trivy-results.sarif'
          format: 'table'
          exit-code: '0'
          ignore-unfixed: true
          vuln-type: 'os,library'
          output: 'Trivy-image-scan-results.txt'

      - uses: actions/upload-artifact@v4
        if: always()
        with:
          name: trivy-results
          path: 'Trivy-image-scan-results.txt'