From 38d1a3d8fd27bb8836c5824ef1751699096ba59e Mon Sep 17 00:00:00 2001
From: phansGithub <root@silpixa00401197b.ir.intel.com>
Date: Tue, 14 Nov 2023 13:38:25 +0000
Subject: [PATCH] Added trivy to public-ci

Signed-off-by: phansGithub <root@silpixa00401197b.ir.intel.com>
---
 .github/workflows/public-ci.yml | 46 +++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/.github/workflows/public-ci.yml b/.github/workflows/public-ci.yml
index bc6f072..a3a315f 100644
--- a/.github/workflows/public-ci.yml
+++ b/.github/workflows/public-ci.yml
@@ -116,3 +116,49 @@ jobs:
 
     - name: unit-tests
       run: make test
+
+# Trivy Scan
+  trivy-scan:
+    runs-on: ubuntu-latest
+    permissions: write-all
+    steps: 
+
+    - name: Checkout code
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+
+    - name: Run Trivy vulnerability scanner in repo mode
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        ignore-unfixed: true
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL'
+
+    - name: Build image
+      run: make image
+
+    - name: Generate .tar image
+      run: docker save -o vul-image.tar localhost:5000/afxdp-device-plugin:latest
+
+
+    - name: Run Trivy on tarballed image 
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: /github/workspace/vul-image.tar
+        scan-type: 'fs'
+        ignore-unfixed: false
+        format: 'sarif'
+        output: 'trivy-image-results.sarif'
+        severity: 'CRITICAL'
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+    - name: Print sarif file
+      run: cat < trivy-results.sarif
+
+    - name: Print image sarif file 
+      run: cat trivy-image-results.sarif
\ No newline at end of file