From 994ee425f01f985116b4c11f1289bfd5eeb86466 Mon Sep 17 00:00:00 2001
From: Rajesh Rajendran <rjshrjndrn@users.noreply.github.com>
Date: Tue, 15 Nov 2022 11:30:41 +0000
Subject: [PATCH] trivy scan for GH actions (#815)

* ci(acions): Chalice security scan
* chore(api): Fix building chalice
---
 .github/workflows/api-ee.yaml | 22 +++++++++++++++++++++-
 .github/workflows/api.yaml    | 22 +++++++++++++++++++++-
 api/build.sh                  |  3 ++-
 3 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/api-ee.yaml b/.github/workflows/api-ee.yaml
index e41779634..e5974b302 100644
--- a/.github/workflows/api-ee.yaml
+++ b/.github/workflows/api-ee.yaml
@@ -1,6 +1,11 @@
 # This action will push the chalice changes to aws
 on:
   workflow_dispatch:
+    inputs:
+      skip_security_checks:
+        description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false'
+        required: false
+        default: 'false'
   push:
     branches:
       - dev
@@ -46,8 +51,23 @@ jobs:
         IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}-ee
         ENVIRONMENT: staging
       run: |
+        skip_security_checks=${{ github.event.inputs.skip_security_checks }}
         cd api
-        PUSH_IMAGE=1 bash build.sh ee
+        PUSH_IMAGE=0 bash -x ./build.sh ee
+        [[ "x$skip_security_checks" == "xtrue" ]]  || {
+          curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ 
+          images=("chalice" "alerts")
+          for image in ${images[*]};do
+            ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL"  --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG 
+          done
+          err_code=$?
+          [[ $err_code -ne 0 ]] && {
+            exit $err_code
+          }
+        } && {
+          echo "Skipping Security Checks"
+        }
+        PUSH_IMAGE=1 bash -x ./build.sh ee
     - name: Creating old image input
       run: |
         #
diff --git a/.github/workflows/api.yaml b/.github/workflows/api.yaml
index ee49ded09..8c1849970 100644
--- a/.github/workflows/api.yaml
+++ b/.github/workflows/api.yaml
@@ -1,6 +1,11 @@
 # This action will push the chalice changes to aws
 on:
   workflow_dispatch:
+    inputs:
+      skip_security_checks:
+        description: 'Skip Security checks if there is a unfixable vuln or error. Value: true/false'
+        required: false
+        default: 'false'
   push:
     branches:
       - dev
@@ -45,8 +50,23 @@ jobs:
         IMAGE_TAG: ${{ github.ref_name }}_${{ github.sha }}
         ENVIRONMENT: staging
       run: |
+        skip_security_checks=${{ github.event.inputs.skip_security_checks }}
         cd api
-        PUSH_IMAGE=1 bash build.sh
+        PUSH_IMAGE=0 bash -x ./build.sh
+        [[ "x$skip_security_checks" == "xtrue" ]]  || {
+          curl -L https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.tar.gz | tar -xzf - -C ./ 
+          images=("chalice" "alerts")
+          for image in ${images[*]};do
+            ./trivy image --exit-code 1 --security-checks vuln --vuln-type os,library --severity "HIGH,CRITICAL"  --ignore-unfixed $DOCKER_REPO/$image:$IMAGE_TAG 
+          done
+          err_code=$?
+          [[ $err_code -ne 0 ]] && {
+            exit $err_code
+          }
+        } && {
+          echo "Skipping Security Checks"
+        }
+        PUSH_IMAGE=1 bash -x ./build.sh
     - name: Creating old image input
       run: |
         #
diff --git a/api/build.sh b/api/build.sh
index a7abdb877..9e1df8a28 100644
--- a/api/build.sh
+++ b/api/build.sh
@@ -49,8 +49,9 @@ build_api $1
 echo buil_complete
 IMAGE_TAG=$IMAGE_TAG PUSH_IMAGE=$PUSH_IMAGE DOCKER_REPO=$DOCKER_REPO bash build_alerts.sh $1
 
+echo "alerts done"
 [[ $1 == "ee" ]] && {
   cp ../ee/api/build_crons.sh .
   IMAGE_TAG=$IMAGE_TAG PUSH_IMAGE=$PUSH_IMAGE DOCKER_REPO=$DOCKER_REPO bash build_crons.sh $1
   rm build_crons.sh
-}
+} || true