ci: Add Trivy vulnerability scanner for docker images

Author: markmetcalfe

.github/workflows/scan-images.yml

@@ -0,0 +1,46 @@
+name: Trivy Image Vulnerability Scan
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 18 * * 0' # Run every Monday at 6am NZST
+
+permissions:
+  contents: read
+
+jobs:
+  scan-image:
+    name: Scan ${{ matrix.image }} image for vulnerabilities
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        include:
+          - image: mssql2017
+          - image: mssql2019
+          - image: mssql2022
+          - image: php73
+          - image: php74
+          - image: php80
+          - image: php81
+          - image: php82
+          - image: php83
+          - image: php84
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Pull image to scan
+        run: docker pull ghcr.io/totara/docker-dev-${{ matrix.image }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        with:
+          image-ref: ghcr.io/totara/docker-dev-${{ matrix.image }}
+          format: template
+          template: '@/contrib/sarif.tpl'
+          output: trivy-results-${{ matrix.image }}-image.sarif
+          severity: 'CRITICAL,HIGH'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: trivy-results-${{ matrix.image }}-image.sarif

.github/workflows/scan-repo.yml

@@ -0,0 +1,40 @@
+name: Trivy Repo Vulnerability Scan
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+permissions:
+  contents: read
+
+jobs:
+  scan-repo:
+    name: Scan repo for vulnerabilities
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results-repo.sarif'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        with:
+          sarif_file: 'trivy-results-repo.sarif'

compose/mssql.yml

@@ -60,8 +60,11 @@ services:
     networks:
       - totara
 
-  # When adding a new MSSQL container, make sure you also add entries in:
-  # compose/build.yml, .github/workflows/build-mssql.yml
+  # When adding a new MSSQL container here, make sure you also:
+  # - Add a build entry in compose/build.yml
+  # - Add a CI build entry in .github/workflows/build-mssql.yml
+  # - Add a image matrix entry in .github/workflows/scan-images.yml
+  # - Update README.md
 
 volumes:
   mssql-data:

compose/php.yml

@@ -378,6 +378,7 @@ services:
   # - Add a mutagen sync entry in compose/sync.yml
   # - Add relevant network aliases in compose/nginx.yml and compose/apache.yml
   # - Add a CI build entry in .github/workflows/build-php.yml
+  # - Add a image matrix entry in .github/workflows/scan-images.yml
   # - Update the max PHP version in .github/workflows/validate-config.yml
   # - Update README.md