hawkbit/.github/workflows/reusable_workflow_trivy-scan.yaml

name: Trivy Scan (Reusable Workflow)

on:
  workflow_call:
    inputs:
      ref:
        description: 'The branch, tag or SHA to checkout, e.g. master'
        type: string
        default: 'master'
      upload:
        description: 'If to upload the scan results, e.g. true or false'
        type: boolean
        default: false

permissions:
  contents: read
  # needed for trivy scans upload
  security-events: write

jobs:
  trivy-scan:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.ref }}

      - name: Set up JDK
        uses: actions/setup-java@v5
        with:
          distribution: "temurin"
          java-version: 21
          cache: "maven"

      - name: Create hawkBit container images
        run: |
          mvn clean install -DskipTests -DskipJavadoc && \
          cd docker/build && \
          chmod +x build_dev.sh && \
          ./build_dev.sh && \
          cd ../../..

      - name: Determine most recent Trivy version
        run: |
          echo "TRIVY_VERSION=$(wget -qO - 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' | \
            grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\1/')" >> $GITHUB_ENV

      - name: Install Trivy
        run: |
          wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz -O - | tar -zxvf -

      - name: Scan Docker images
        run: |
          mkdir -p scans/eclipse-hawkbit/hawkbit
          for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit/hawkbit-*:latest"); do
            echo "Scanning image ${IMAGE} ..."
            ./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse-hawkbit/${IMAGE}.sarif" --format sarif
          done

      - name: Check if to upload scan results
        run: |
          if [ "${{ inputs.upload }}" = "true" ]; then
            echo "Uploading scan results..."
          else
            echo "Skipping upload of scan results."
            exit 0
          fi

      - name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ddi-server:latest.sarif'
          category: "Container Images (hawkbit-ddi-server)"
      - name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-dmf-server:latest.sarif'
          category: "Container Images (hawkbit-dmf-server)"
      - name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-mgmt-server:latest.sarif'
          category: "Container Images (hawkbit-mgmt-server)"
      - name: Upload Docker image scan results to GitHub Security tab hawkbit-ui
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ui:latest.sarif'
          category: "Container Images (hawkbit-ui)"

      - name: Upload Docker image scan results to GitHub Security tab hawkbit-update-server
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-update-server:latest.sarif'
          category: "Container Images (hawkbit-update-server)"

      - name: Upload Docker image scan results to GitHub Security tab hawkbit-repository-jpa-init
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif'
          category: "Container Images (hawkbit-repository-jpa-init)"