From 689e8bd63517a920b78623e043eec6aad8379ec9 Mon Sep 17 00:00:00 2001
From: Bonface Shisakha Asunga <basunga@ona.io>
Date: Tue, 4 Oct 2022 10:28:26 +0300
Subject: [PATCH 1/2] Add Trivy repository scan

Signed-off-by: Bonface Shisakha Asunga <basunga@ona.io>
---
 .github/workflows/trivy-repo-scan.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 .github/workflows/trivy-repo-scan.yml

diff --git a/.github/workflows/trivy-repo-scan.yml b/.github/workflows/trivy-repo-scan.yml
new file mode 100644
index 00000000..9fc3b983
--- /dev/null
+++ b/.github/workflows/trivy-repo-scan.yml
@@ -0,0 +1,26 @@
+name: Trivy Security Scan on OpenSRP-Server-Web repository
+on:
+  push:
+    branches: 
+      - trivy-ci-scan
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-dhis2-fhir-adapter-repo-results.sarif'          
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-dhis2-fhir-adapter-repo-results.sarif'
\ No newline at end of file

From 1eec7e890a7f9af06fbe7b4c2b01bba26524267f Mon Sep 17 00:00:00 2001
From: Bonface Shisakha Asunga <basunga@ona.io>
Date: Tue, 4 Oct 2022 10:54:32 +0300
Subject: [PATCH 2/2] Trivy docker vulnerability scan

Signed-off-by: Bonface Shisakha Asunga <basunga@ona.io>
---
 .github/workflows/docker-publish.yml | 75 +++++++++++++++++++++++++++-
 1 file changed, 74 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 3cbb9d90..1e09fa8c 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -5,7 +5,7 @@ on:
     # Publish `master` as Docker `master` tag.
     # See also https://github.com/crazy-max/ghaction-docker-meta#basic
     branches:
-      - master
+      - trivy-ci-scan
 
     # Publish `v1.2.3` tags as releases.
     tags:
@@ -101,3 +101,76 @@ jobs:
 
       - name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}
+
+      - name: Run Trivy vulnerability scanner on Docker image - JSON
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ steps.docker_meta.outputs.tags }}
+          format: json
+          output: 'trivy-dhis2-fhir-adapter-results.json'
+
+      - name: Run Trivy vulnerability scanner on Docker image - SARIF
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ steps.docker_meta.outputs.tags }}
+          format: sarif
+          ignore-unfixed: true
+          output: 'trivy-dhis2-fhir-adapter-docker-results.sarif'          
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-dhis2-fhir-adapter-docker-results.sarif'
+          
+          
+      - name: Create summary of trivy issues on Docker image
+        run: |
+          summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
+          if [ -z $summary ]
+          then
+            summary="0 Issues"
+          fi
+          echo "SUMMARY=$summary" >> $GITHUB_ENV
+      
+      - name: Generate trivy HTML report on Docker image for download
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ steps.docker_meta.outputs.tags }}
+          format: 'template'
+          template: '@/contrib/html.tpl'
+          output: 'trivy-results-dhis2-fhir-adapter-docker-report.html'
+
+      - name: Upload Trivy results as an artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: "trivy-results-dhis2-fhir-adapter-docker-report.html"
+          path: './trivy-results-dhis2-fhir-adapter-docker-report.html'
+          retention-days: 30
+
+      # - name: Send Slack Notification
+      #   uses: slackapi/slack-github-action@v1.19.0
+      #   with:
+      #     payload: |
+      #       {
+      #         "text": "Trivy scan results for ${{ steps.docker_meta.outputs.tags }}",
+      #         "blocks": [
+      #           {
+      #             "type": "section",
+      #             "text": {
+      #               "type": "mrkdwn",
+      #               "text": "Trivy scan results: ${{ env.SUMMARY }}"
+      #             }
+      #           },
+      #           {
+      #             "type": "section",
+      #             "text": {
+      #               "type": "mrkdwn",
+      #               "text": "View result artifact: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}. Artifact is only valid for 30 days."
+      #             }
+      #           }
+      #         ]
+      #       }
+      #   env:
+      #     SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      #     SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+