🌱 add support for trivy SAST tool

Signed-off-by: Adam Korczynski <[email protected]>

Author: AdamKorcz

checker/raw_result.go

@@ -286,6 +286,8 @@ const (
 	PysaWorkflow SASTWorkflowType = "Pysa"
 	// QodanaWorkflow represents a workflow that runs Qodana.
 	QodanaWorkflow SASTWorkflowType = "Qodana"
+	// TrivyWorkflow represents a workflow that runs Trivy.
+	TrivyWorkflow SASTWorkflowType = "Trivy"
 )
 
 // SASTWorkflow represents a SAST workflow.

checks/raw/sast.go

@@ -87,6 +87,12 @@ func SAST(c *checker.CheckRequest) (checker.SASTData, error) {
 	}
 	data.Workflows = append(data.Workflows, qodanaWorkflows...)
 
+	trivyWorkflows, err := getSastUsesWorkflows(c, "^aquasecurity/trivy-action$", checker.TrivyWorkflow)
+	if err != nil {
+		return data, err
+	}
+	data.Workflows = append(data.Workflows, trivyWorkflows...)
+
 	return data, nil
 }
 

checks/raw/sast_test.go

@@ -195,6 +195,29 @@ func TestSAST(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:  "Has Trivy",
+			files: []string{".github/workflows/github-trivy-workflow.yaml"},
+			commits: []clients.Commit{
+				{
+					AssociatedMergeRequest: clients.PullRequest{
+						Number: 1,
+					},
+				},
+			},
+			expected: checker.SASTData{
+				Workflows: []checker.SASTWorkflow{
+					{
+						Type: checker.TrivyWorkflow,
+						File: checker.File{
+							Path:   ".github/workflows/github-trivy-workflow.yaml",
+							Offset: checker.OffsetDefault,
+							Type:   finding.FileTypeSource,
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

checks/raw/testdata/.github/workflows/github-trivy-workflow.yaml

@@ -0,0 +1,24 @@
+name: build
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Build an image from Dockerfile
+        run: docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'