From 67241e2ef8fe7eb93acf1958748344e4519a23f7 Mon Sep 17 00:00:00 2001
From: "Kornev, Nikita" <nikita.kornev@intel.com>
Date: Wed, 29 Jan 2025 18:07:48 +0100
Subject: [PATCH 1/6] [CI] Add Trivy workflow

This patch adds a workflow to perform trivy check as required by our
public release policy.
---
 .github/workflows/trivy.yml | 35 +++++++++++++++++++++++++++++++++++
 devops/.trivyignore.txt     |  3 +++
 2 files changed, 38 insertions(+)
 create mode 100644 .github/workflows/trivy.yml
 create mode 100644 devops/.trivyignore.txt

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
new file mode 100644
index 0000000000000..00b0ee2661ffb
--- /dev/null
+++ b/.github/workflows/trivy.yml
@@ -0,0 +1,35 @@
+# This workflow performs trivy check of docker config files.
+# It triggers only on pushs to devops/containers.
+# For more info: https://github.com/aquasecurity/trivy-action
+
+name: Trivy
+
+on:
+  push:
+    paths:
+      - 'devops/containers/**'
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: devops
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          scan-type: 'config'
+          scan-ref: devops/containers
+          trivyignores: devops/.trivyignore.txt
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/devops/.trivyignore.txt b/devops/.trivyignore.txt
new file mode 100644
index 0000000000000..167c93b7e2b91
--- /dev/null
+++ b/devops/.trivyignore.txt
@@ -0,0 +1,3 @@
+misconfigurations:
+  - id: AVD-DS-0026
+    statement: "Our containers do not provide running services, but only preinstalled tools, there is not much value in adding HEALTHCHECK directives"

From 55d424cd48ad3a940b77ad653d94175d96c3f1c0 Mon Sep 17 00:00:00 2001
From: KornevNikita <nikita.kornev@intel.com>
Date: Fri, 31 Jan 2025 02:23:13 -0800
Subject: [PATCH 2/6] Switch to on: pull_request

---
 .github/workflows/trivy.yml                   | 23 +++++++------------
 .../{.trivyignore.txt => .trivyignore.yaml}   |  2 ++
 2 files changed, 10 insertions(+), 15 deletions(-)
 rename devops/{.trivyignore.txt => .trivyignore.yaml} (59%)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 00b0ee2661ffb..4b4366c969402 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -1,11 +1,9 @@
 # This workflow performs trivy check of docker config files.
-# It triggers only on pushs to devops/containers.
-# For more info: https://github.com/aquasecurity/trivy-action
 
 name: Trivy
 
 on:
-  push:
+  pull_request:
     paths:
       - 'devops/containers/**'
   workflow_dispatch:
@@ -20,16 +18,11 @@ jobs:
         with:
           sparse-checkout: devops
 
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.29.0
-        with:
-          scan-type: 'config'
-          scan-ref: devops/containers
-          trivyignores: devops/.trivyignore.txt
-          format: 'sarif'
-          output: 'trivy-results.sarif'
+      # There is a github action, but for some reason it ignores ignore-file.
+      - name: Install Trivy
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh
+          ./bin/trivy --version
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'
+      - name: Run Trivy vulnerability scanner
+        run: ./bin/trivy config devops/containers --ignorefile=devops/.trivyignore.yaml
diff --git a/devops/.trivyignore.txt b/devops/.trivyignore.yaml
similarity index 59%
rename from devops/.trivyignore.txt
rename to devops/.trivyignore.yaml
index 167c93b7e2b91..f942ef6ba2a9d 100644
--- a/devops/.trivyignore.txt
+++ b/devops/.trivyignore.yaml
@@ -1,3 +1,5 @@
 misconfigurations:
+  - id: AVD-DS-0001
+    statement: "We use our own containers, no uncontrolled behavior is expected when the image is updated"
   - id: AVD-DS-0026
     statement: "Our containers do not provide running services, but only preinstalled tools, there is not much value in adding HEALTHCHECK directives"

From d6e46dcfe5e82fc9c9f4fdf6d7c2a6c4e375a664 Mon Sep 17 00:00:00 2001
From: "Kornev, Nikita" <nikita.kornev@intel.com>
Date: Mon, 3 Feb 2025 11:33:14 +0100
Subject: [PATCH 3/6] artifact

---
 .github/workflows/trivy.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 4b4366c969402..17027afc66d4d 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -25,4 +25,11 @@ jobs:
           ./bin/trivy --version
 
       - name: Run Trivy vulnerability scanner
-        run: ./bin/trivy config devops/containers --ignorefile=devops/.trivyignore.yaml
+        run: ./bin/trivy config --format json --output trivy-report.json --ignorefile=devops/.trivyignore.yaml devops/containers
+
+      - name: Upload report artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-report
+          path: trivy-report.json
+          retention-days: 3

From 889290a6653adba3ded4517f183bf4acaae755b5 Mon Sep 17 00:00:00 2001
From: Nikita Kornev <nikita.kornev@intel.com>
Date: Tue, 4 Feb 2025 16:09:25 +0100
Subject: [PATCH 4/6] Update .github/workflows/trivy.yml

Co-authored-by: Nick Sarnie <nick.sarnie@intel.com>
---
 .github/workflows/trivy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 17027afc66d4d..dcd8ebdeff842 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -1,4 +1,4 @@
-# This workflow performs trivy check of docker config files.
+# This workflow performs a trivy check of docker config files.
 
 name: Trivy
 

From 0fdba39d5397c62aab75a22eb4c3b3618aa74520 Mon Sep 17 00:00:00 2001
From: "Kornev, Nikita" <nikita.kornev@intel.com>
Date: Tue, 4 Feb 2025 16:38:21 +0100
Subject: [PATCH 5/6] return 1 in case of fail

---
 .github/workflows/trivy.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index dcd8ebdeff842..2aec8ffa739f2 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -25,7 +25,7 @@ jobs:
           ./bin/trivy --version
 
       - name: Run Trivy vulnerability scanner
-        run: ./bin/trivy config --format json --output trivy-report.json --ignorefile=devops/.trivyignore.yaml devops/containers
+        run: ./bin/trivy config --format json --output trivy-report.json --ignorefile=devops/.trivyignore.yaml devops/containers --exit-code 1
 
       - name: Upload report artifact
         uses: actions/upload-artifact@v4

From 28a701eb59e0c7cfee83477398c87c2a1e5dddb7 Mon Sep 17 00:00:00 2001
From: "Kornev, Nikita" <nikita.kornev@intel.com>
Date: Tue, 4 Feb 2025 16:39:57 +0100
Subject: [PATCH 6/6] trigger on these files

---
 .github/workflows/trivy.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 2aec8ffa739f2..26637cac9d5e3 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     paths:
       - 'devops/containers/**'
+      - 'devops/.trivyignore.yaml'
+      - '.github/workflows/trivy.yml'
   workflow_dispatch:
 
 jobs: