Ops 3814 add image vulnerability scanning (#50)

* [OPS-3814] add GHA Trivy cron

* [OPS-3814] add trivy cron to BAP action

* [OPS-3814] split GHA

* [OPS-3814] add GHJA trigger to test

* [OPS-3814] add repro matrix

* [OPs-3814] fix workflow

* add trigger

* add trigger other workflow

* add workflow call

* fix workflow

* fix typo

* fix action

* [OPS-3814] update  trivy action version

* [OPS-3814] update trivy action version

* [OPS-3814] fix error trivy upload

* [OPS-3814] add trivy scan options

* [OPS-3841] debug option exit code

* [OPS-3814] add generic file name

* [OPS-3814] add workflow permissions

* [OPS-3814] fix trivy workflow permissions

* [OPS-3814] fix workflow

* [OPS-3814] add exitcode

* [OPS-3814] fix trivy action by commit hash

* [OPS-3814] reset trivy action to version master

* [OPS-3814] fix trivy workflow

* [OPS-3814] unset exitcode

* [OPS-3814] tidy for master

.github/workflows/bapontag.yaml

@@ -53,3 +53,4 @@ jobs:
           push: true
           tags: ${{ steps.docker_meta_img_hub.outputs.tags }}
           labels: ${{ steps.docker_meta_img_hub.outputs.labels }}
+

.github/workflows/trivy-cron.yaml

@@ -0,0 +1,33 @@
+---
+name: Docker Image Trivy Image Vulnerability Scan Cron Job
+on:
+  schedule:
+    # Runs "at 2 a.m. past every day" (see https://crontab.guru)
+    - cron: '0 2 * * *'
+permissions:
+  # required for all workflows
+  security-events: write
+  # only required for workflows in private repositories
+  actions: read
+  contents: read
+
+# Multi Image Repro GHA
+jobs:
+  trivy_image_scan_cron:
+    strategy:
+      matrix:
+        image:
+          - infra-tools
+          - dbcmetrics
+          - awx-ee
+    uses: hpi-schul-cloud/infra-tools/.github/workflows/trivy-scan.yaml@master
+    with:
+      image-ref: 'docker.io/schulcloud/${{ matrix.image }}:latest'
+
+# Template Single Image Repro GHA
+# jobs:
+#   trivy_image_scan_cron:
+#     uses: hpi-schul-cloud/infra-tools/.github/workflows/trivy-scan.yaml@OPS-3814-add-Image-Vulnerability-Scanning
+#     # uses: hpi-schul-cloud/infra-tools/.github/workflows/trivy-scan.yaml@master
+#     with:
+#       image-ref: 'docker.io/schulcloud/<IMAGE_NAME>:latest'

.github/workflows/trivy-scan.yaml

@@ -0,0 +1,39 @@
+---
+name: Trivy Image Vulnerability Scann Job
+on:
+  workflow_call:
+    inputs:
+      image-ref:
+        description: "repository image reference"
+        required: true
+        type: string
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    permissions:
+      # required for all workflows
+      security-events: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+    steps:
+      - name: Run Trivy vulnerability scanner
+        # Third-party action, pin to commit SHA!
+        # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+        # Breaking API Aqua Security Trivy Action 0.8.0
+        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
+        with:
+          image-ref: ${{ inputs.image-ref }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          # exit-code: 1
+          ignore-unfixed: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'