From 87e8a1635e17813b9a64f578be5291c0f37593de Mon Sep 17 00:00:00 2001
From: Mat Moore <MatMoore@users.noreply.github.com>
Date: Fri, 8 Nov 2024 16:15:59 +0000
Subject: [PATCH] feat: add trivy image scanning

The cloud platform scans containers when they are running in the
cluster, but we should also be scanning the images before we deploy to the
cluster.

https://user-guide.cloud-platform.service.justice.gov.uk/documentation/other-topics/trivy-image-scanning.html#trivy-vulnerability-scanning
---
 .github/workflows/reusable-push-and-deploy.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.github/workflows/reusable-push-and-deploy.yml b/.github/workflows/reusable-push-and-deploy.yml
index 68d77247..82a4266b 100644
--- a/.github/workflows/reusable-push-and-deploy.yml
+++ b/.github/workflows/reusable-push-and-deploy.yml
@@ -47,6 +47,7 @@ jobs:
     permissions:
       id-token: write # This is required for requesting the JWT
       contents: read # This is required for actions/checkout
+      security-events: write
     steps:
       - uses: actions/checkout@v4
 
@@ -95,6 +96,18 @@ jobs:
           IMAGE_PATH: ${{ steps.image-path.outputs.image_path }}
         run: docker push "${IMAGE_PATH}"
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ${{ steps.image-path.outputs.image_path }}
+          format: "sarif"
+          output: "trivy-results.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"
+
       - name: Prepare deployment yaml
         id: prepare-deployment
         env: