From 179ea63f2521d31a526978bd8fc91135998567f0 Mon Sep 17 00:00:00 2001
From: JoshuaLicense <JoshuaLicense@users.noreply.github.com>
Date: Thu, 11 Jul 2024 13:59:50 +0100
Subject: [PATCH] ci: upload security scanning to GHCS (#39)

* ci: upload security scanning to GHCS

* fix: try to fix `latest` not being part of tags on empty list
---
 .github/workflows/docker.yaml | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
index e3c7a9d..7c1414c 100644
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -58,7 +58,7 @@ jobs:
         id: meta
         uses: docker/metadata-action@v5
         with:
-          flavor: latest=true
+          flavor: latest=false
           images: |
             ${{ env.REGISTRY }}/${{ inputs.repository }}
             ${{ env.REGISTRY_MIRROR }}/dvsa/dvsa-docker-images/${{ inputs.repository }}
@@ -66,6 +66,7 @@ jobs:
             type=semver,enable=${{ inputs.is-release || inputs.is-schedule-release }},pattern={{major}}.{{minor}},value=${{ inputs.image-version }}
             type=semver,enable=${{ inputs.is-release || inputs.is-schedule-release }},pattern={{major}},value=${{ inputs.image-version }}
             type=semver,enable=${{ inputs.is-release }},pattern={{version}},value=${{ inputs.image-version }}
+            type=raw,value=latest
 
       - name: Configure AWS credentials
         if: ${{ inputs.push }}
@@ -85,12 +86,12 @@ jobs:
         id: mutable-meta
         uses: docker/metadata-action@v5
         with:
-          flavor: latest=true
           # Only required for ECR (the main registry) as the mirror registry (GHCR) doesn't support tag immutability.
           images: ${{ env.REGISTRY }}/${{ inputs.repository }}
           tags: |
             type=semver,enable=${{ inputs.is-release || inputs.is-schedule-release }},pattern={{major}}.{{minor}},value=${{ inputs.image-version }}
             type=semver,enable=${{ inputs.is-release || inputs.is-schedule-release }},pattern={{major}},value=${{ inputs.image-version }}
+            type=raw,value=latest
 
       - name: Untag mutable tags
         if: ${{ inputs.push && steps.mutable-meta.outputs.tags }}
@@ -168,13 +169,18 @@ jobs:
           cache-from: type=gha
 
       - name: Scan
+        id: scan
         uses: aquasecurity/trivy-action@0.23.0
         with:
           image-ref: ${{ steps.build-and-push.outputs.imageid }}
-          # format: 'sarif'
-          # output: 'trivy-results.sarif'
-
-      # - name: Upload Trivy scan results to GitHub Code Scanning
-      #   uses: github/codeql-action/upload-sarif@v3
-      #   with:
-      #     sarif_file: 'trivy-results.sarif'
+          format: 'sarif'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Code Scanning
+        if: ${{ always() && !cancelled() && steps.scan.outcome == 'success' || steps.scan.outcome == 'failure' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'