[Tech] Ajout de Trivy (#2749)

## Linked issues ---- - [ ] Tests E2E (Cypress)
MTES-MCT · Dec 6, 2023 · 98c3034 · 98c3034
2 parents 6a484b8 + a5fafbf
commit 98c3034
Showing 1 changed file with 46 additions and 0 deletions.
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,46 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: trivy
+
+on:
+  workflow_dispatch:
+    version:
+      description: 'Version number'
+      required: true
+      default: 'v1.0.0'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    permissions:
+      packages: write
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Run Trivy
+    runs-on: "ubuntu-20.04"
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "ghcr.io/mtes-mct/monitorfish/monitorfish-app:${{ github.event.inputs.version }}"
+          format: sarif
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"