From d1c84327967e99f12f88aaf3ff4b6c38dc698a3c Mon Sep 17 00:00:00 2001
From: Teppei Fukuda <knqyf263@gmail.com>
Date: Thu, 11 Mar 2021 17:15:07 +0200
Subject: [PATCH] chore(ci/trivy): replace script with action (#1355)

* chore: replace script with action

* delete trivy script

* more

Co-authored-by: Admiral Awkbar <admiralawkbar@github.com>
---
 .automation/test/go/reports/expected-GO-5.tap |   7 ++
 .automation/trivy-security-scan.sh            | 105 ------------------
 .github/workflows/trivy.yml                   |  25 ++---
 3 files changed, 18 insertions(+), 119 deletions(-)
 create mode 100644 .automation/test/go/reports/expected-GO-5.tap
 delete mode 100755 .automation/trivy-security-scan.sh

diff --git a/.automation/test/go/reports/expected-GO-5.tap b/.automation/test/go/reports/expected-GO-5.tap
new file mode 100644
index 00000000..fd63a20d
--- /dev/null
+++ b/.automation/test/go/reports/expected-GO-5.tap
@@ -0,0 +1,7 @@
+TAP version 13
+1..2
+not ok 1 - golang_bad_01.go
+  ---
+  message: level=warningg="[runner] The linter 'maligned' is deprecated due to The repository of the linter has been archived by the owner. Use govet 'fieldalignment' instead."\nlevel=warningg="[runner] Can't run linter goanalysis_metalinter failed prerequisites [(buildir@command-line-arguments, inspect@command-line-arguments, isgenerated@command-line-arguments) analysis skipped errors in package [go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if']]"\nlevel=warningg="[runner] Can't run linter unused buildir analysis skipped errors in package [go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if']"\nlevel=errorg="Running error buildir analysis skipped errors in package [go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if' /tmp/lint/.automation/test/go/golang_bad_01.go 1 1 expected 'package', found 'if']"\n
+  ...
+ok 2 - golang_good_01.go
diff --git a/.automation/trivy-security-scan.sh b/.automation/trivy-security-scan.sh
deleted file mode 100755
index 8de13c6d..00000000
--- a/.automation/trivy-security-scan.sh
+++ /dev/null
@@ -1,105 +0,0 @@
-#!/usr/bin/env bash
-
-################################################################################
-############# Trivy Security Scan @admiralawkbar ###############################
-################################################################################
-
-###########
-# Globals #
-###########
-GITHUB_WORKSPACE="${GITHUB_WORKSPACE}" # GitHub Workspace
-REPORT_NAME='report.sarif'             # Name of the generated report
-TEMPLATE_NAME='sarif.tpl'              # Name of the template file
-ERRORS_FOUND=0                         # Flag for errors founsd in scan
-
-################################################################################
-############################ FUNCTIONS BELOW ###################################
-################################################################################ß
-################################################################################
-#### Function Header ###########################################################
-Header() {
-  echo ""
-  echo "-------------------------------------------------------"
-  echo "--------- Trivy Security Scan on Super-Linter ---------"
-  echo "-------------------------------------------------------"
-}
-################################################################################
-#### Function RunScan ##########################################################
-RunScan() {
-  ###########################
-  # Run the Trivy code scan #
-  ###########################
-  echo ""
-  echo "-------------------------------------------------------"
-  echo "Running scan on local code base..."
-  echo "Running command:[\"${GITHUB_WORKSPACE}/trivy\" fs --format template --template @\"${GITHUB_WORKSPACE}/${TEMPLATE_NAME}\" -o \"${REPORT_NAME}\" --severity HIGH,CRITICAL --exit-code 1 \"${GITHUB_WORKSPACE}\" 2>&1]"
-  RUN_CMD=$("${GITHUB_WORKSPACE}/trivy" fs --format template --template @"${GITHUB_WORKSPACE}/${TEMPLATE_NAME}" -o "${REPORT_NAME}" --severity HIGH,CRITICAL --exit-code 1 "${GITHUB_WORKSPACE}" 2>&1)
-
-  #######################
-  # Load the error code #
-  #######################
-  ERROR_CODE=$?
-
-  ##############################
-  # Check the shell for errors #
-  ##############################
-  if [ $ERROR_CODE -ne 0 ]; then
-    # Erro
-    echo "-------------------------------------------------------"r
-    echo "ERRORS detected in scan!"
-    echo "[${RUN_CMD}]"
-    # bump the count
-    ERRORS_FOUND=1
-  else
-    # Success
-    echo "-------------------------------------------------------"
-    echo "Successfully scanned codebase!"
-  fi
-}
-################################################################################
-#### Function OutputReport #####################################################
-OutputReport() {
-  ########################################
-  # Output the report that was generated #
-  ########################################
-  echo ""
-  echo "-------- [${REPORT_NAME}] Results: --------"
-  "${GITHUB_WORKSPACE}/trivy" fs "${GITHUB_WORKSPACE}" 2>&1
-  echo "-----------------------------------------"
-}
-################################################################################
-#### Function Footer ###########################################################
-Footer() {
-  echo ""
-  echo "-------------------------------------------------------"
-  echo "The step has completed with error code:[${ERRORS_FOUND}]"
-  echo "-------------------------------------------------------"
-
-  ########################
-  # Exit with error code #
-  ########################
-  exit "${ERRORS_FOUND}"
-}
-################################################################################
-################################## MAIN ########################################
-################################################################################
-
-##########
-# Header #
-##########
-Header
-
-################
-# Run the scan #
-################
-RunScan
-
-#################
-# Output Report #
-#################
-OutputReport
-
-##########
-# Footer #
-##########
-Footer
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 76df755e..70060f9d 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -23,25 +23,22 @@ jobs:
       #   run: |
       #     docker build -t docker.io/github/super-linter:${{ github.sha }} .
 
-      ###########################################
-      # Download and install Trivy and template #
-      ###########################################
-      - name: Download and Install Trivy
-        shell: bash
-        run: |
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b ${GITHUB_WORKSPACE}
-          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/sarif.tpl -o sarif.tpl
-
       #################################
       # Run Trivy Scan of source code #
       #################################
       - name: Trivy Scan
-        shell: bash
-        run: ./.automation/trivy-security-scan.sh
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'template'
+          exit-code: '1'
+          template: '@/contrib/sarif.tpl'
+          output: 'report.sarif'
+          severity: 'HIGH,CRITICAL'
 
-      ################################
-      # Upload report to secrity tab #
-      ################################
+      #################################
+      # Upload report to security tab #
+      #################################
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v1
         if: always()