From d48e06f4389417465fb7cd416d4d5301490d4307 Mon Sep 17 00:00:00 2001
From: nodiscc <nodiscc@gmail.com>
Date: Tue, 2 May 2023 12:15:57 +0200
Subject: [PATCH 1/2] run trivy vulnerability scanner on the 'latest' docker
 image - run trivy from makefile so that it can be run both locally and
 through github actions - usage: make test_trivy
 TRIVY_TARGET_DOCKER_IMAGE=regist.ry/user/image:tag - tested by downgrading
 the base image to alpine 3.15.7 and verifying that vulnerabilities are
 reported
 (https://github.com/nodiscc/Shaarli/actions/runs/4860040980/jobs/8663400103)
 - TEMP/TESTING only push image to ghcr.io, run trivy on trivy branch/docker
 tag as well as master - ref. https://github.com/shaarli/Shaarli/issues/1531

---
 .github/workflows/docker-latest.yml | 22 ++++++++++++----------
 Makefile                            |  9 +++++++++
 2 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/docker-latest.yml b/.github/workflows/docker-latest.yml
index 6611a18b..52d86ff0 100644
--- a/.github/workflows/docker-latest.yml
+++ b/.github/workflows/docker-latest.yml
@@ -1,7 +1,7 @@
 name: Build/push Docker image (master/latest)
 on:
   push:
-    branches: [ master ]
+    branches: [ master, trivy ]
 jobs:
   docker-build:
     runs-on: ubuntu-latest
@@ -11,11 +11,11 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
 
-      - name: Login to DockerHub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      # - name: Login to DockerHub
+      #   uses: docker/login-action@v2
+      #   with:
+      #     username: ${{ secrets.DOCKERHUB_USERNAME }}
+      #     password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
         with:
@@ -35,9 +35,11 @@ jobs:
         with:
           context: .
           push: true
-          platforms: linux/amd64,linux/arm64,linux/arm/v7
-          tags: |
-            ${{ secrets.DOCKER_IMAGE }}:latest
-            ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
+          # tags: |
+          #   ${{ secrets.DOCKER_IMAGE }}:trivy
+          #   ghcr.io/${{ secrets.DOCKER_IMAGE }}:trivy
+          tags: ghcr.io/${{ secrets.DOCKER_IMAGE }}:trivy
       - name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}
+      - name: Run trivy image scanner
+        run: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/${{ secrets.DOCKER_IMAGE }}:trivy
diff --git a/Makefile b/Makefile
index b9660045..1587b305 100644
--- a/Makefile
+++ b/Makefile
@@ -82,6 +82,15 @@ locale_test_%:
 		--bootstrap tests/languages/bootstrap.php \
 		--testsuite language-$(firstword $(subst _, ,$*))
 
+# trivy version (https://github.com/aquasecurity/trivy/releases)
+TRIVY_VERSION=0.39.0
+# default docker image to scan with trivy
+TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/shaarli/shaarli:latest
+test_trivy:
+	wget --quiet --continue -O trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
+	tar -zxf trivy_$(TRIVY_VERSION)_Linux-64bit.tar.gz
+	./trivy image $(TRIVY_TARGET_DOCKER_IMAGE)
+
 all_tests: test locale_test_de_DE locale_test_en_US locale_test_fr_FR
 	@# --The current version is not compatible with PHP 7.2
 	@#$(BIN)/phpcov merge --html coverage coverage

From 22b40449866559cb6046d167a5629eaff094a5da Mon Sep 17 00:00:00 2001
From: nodiscc <nodiscc@gmail.com>
Date: Tue, 2 May 2023 12:24:38 +0200
Subject: [PATCH 2/2] tools/github actions: revert temporary changes used for
 trivy tests on fork/branch

---
 .github/workflows/docker-latest.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/docker-latest.yml b/.github/workflows/docker-latest.yml
index 52d86ff0..2ce685e8 100644
--- a/.github/workflows/docker-latest.yml
+++ b/.github/workflows/docker-latest.yml
@@ -1,7 +1,7 @@
 name: Build/push Docker image (master/latest)
 on:
   push:
-    branches: [ master, trivy ]
+    branches: [ master ]
 jobs:
   docker-build:
     runs-on: ubuntu-latest
@@ -11,11 +11,11 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
 
-      # - name: Login to DockerHub
-      #   uses: docker/login-action@v2
-      #   with:
-      #     username: ${{ secrets.DOCKERHUB_USERNAME }}
-      #     password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
         with:
@@ -35,10 +35,10 @@ jobs:
         with:
           context: .
           push: true
-          # tags: |
-          #   ${{ secrets.DOCKER_IMAGE }}:trivy
-          #   ghcr.io/${{ secrets.DOCKER_IMAGE }}:trivy
-          tags: ghcr.io/${{ secrets.DOCKER_IMAGE }}:trivy
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          tags: |
+            ${{ secrets.DOCKER_IMAGE }}:latest
+            ghcr.io/${{ secrets.DOCKER_IMAGE }}:latest
       - name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}
       - name: Run trivy image scanner