From 0ecb24cbb8fcad376e55ac3e8477c6195b8f78df Mon Sep 17 00:00:00 2001
From: Diogo Mendes <diogo@metabase.com>
Date: Tue, 3 May 2022 14:26:15 -0300
Subject: [PATCH] Adding Trivy code scanner (#22326)

* Add initial repo scan

* Do not upload anything yet

* Uploading now

* Changing for docker image

* Test on branch

* Upload to github | ignore some directories | abort on new commit

* Return to master branch

* Removing space

* Moving Trivy to uberjar.yml

* Fixing `a step cannot have both the `uses` and `run` keys`
---
 .github/workflows/uberjar.yml | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/.github/workflows/uberjar.yml b/.github/workflows/uberjar.yml
index 6b62c9e1a3b..08bed71b8bf 100644
--- a/.github/workflows/uberjar.yml
+++ b/.github/workflows/uberjar.yml
@@ -9,6 +9,10 @@ on:
     - ".**"
     - "test*"
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
     name: Build MB ${{ matrix.edition }}
@@ -114,9 +118,40 @@ jobs:
     - name: Retag and push images if master or main (ee)
       if: ${{ (github.ref_name == 'master' || github.ref_name == 'main') && matrix.edition == 'ee' }}
       run: docker tag localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-ee metabase/metabase-enterprise-head:latest && docker push metabase/metabase-enterprise-head:latest
+
     - name: Retag and push images if master or main (oss)
       if: ${{ (github.ref_name == 'master' || github.ref_name == 'main') && matrix.edition == 'oss' }}
       run: docker tag localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-oss metabase/metabase-head:latest && docker push metabase/metabase-head:latest
+
     - name: Retag and push images if branch
       if: ${{ !(startsWith(github.ref_name,'master') || startsWith(github.ref_name,'main') || startsWith(github.ref_name,'backport')) && matrix.edition == 'ee' }}
       run: docker tag localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-ee metabase/metabase-dev:${{ steps.extract_branch.outputs.branch }} && docker push metabase/metabase-dev:${{ steps.extract_branch.outputs.branch }}
+
+    - name: Run Trivy vulnerability scanner if master or main (ee)
+      if: ${{ (github.ref_name == 'master' || github.ref_name == 'main') && matrix.edition == 'ee' }}
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: docker.io/metabase-enterprise-head:latest
+        format: sarif
+        output: trivy-results.sarif
+
+    - name: Run Trivy vulnerability scanner if master or main (oss)
+      if: ${{ (github.ref_name == 'master' || github.ref_name == 'main') && matrix.edition == 'oss' }}
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: docker.io/metabase/metabase-head:latest
+        format: sarif
+        output: trivy-results.sarif
+
+    - name: Run Trivy vulnerability scanner if dev branch
+      if: ${{ !(startsWith(github.ref_name,'master') || startsWith(github.ref_name,'main') || startsWith(github.ref_name,'backport')) && matrix.edition == 'ee' }}
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: docker.io/metabase/metabase-dev:${{ steps.extract_branch.outputs.branch }}
+        format: sarif
+        output: trivy-results.sarif
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: 'trivy-results.sarif'
-- 
GitLab