fix: add scan-image and scan-repo

jsjoeio · jsjoeio · commit f1491ece56ac · 2021-05-03T16:26:35.000-07:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -407,25 +407,14 @@ jobs:
           name: release-images
           path: ./release-images
 
-  trivy-scan:
+  trivy-scan-image:
     runs-on: ubuntu-20.04
     needs: docker-amd64
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
 
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: "fs"
-          scan-ref: "."
-          ignore-unfixed: true
-          format: "template"
-          template: "@/contrib/sarif.tpl"
-          output: "trivy-repo-results.sarif"
-          severity: "CRITICAL"
-
       - name: Download release images
         uses: actions/download-artifact@v2
         with:
@@ -435,7 +424,7 @@ jobs:
       - name: Run Trivy vulnerability scanner in image mode
         uses: aquasecurity/trivy-action@master
         with:
-          input: "./release-images/*.tar"
+          input: "./release-images/code-server-amd64-*.tar"
           scan-type: "image"
           ignore-unfixed: true
           format: "template"
@@ -446,9 +435,31 @@ jobs:
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v1
         with:
-          sarif_file: "trivy-repo-results.sarif"
+          sarif_file: "trivy-image-results.sarif"
+
+  # We have to use two trivy jobs
+  # because GitHub only allows
+  # codeql/upload-sarif action per job
+  trivy-scan-repo:
+    runs-on: ubuntu-20.04
+    needs: docker-amd64
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+          ignore-unfixed: true
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-repo-results.sarif"
+          severity: "CRITICAL"
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v1
         with:
-          sarif_file: "trivy-image-results.sarif"
+          sarif_file: "trivy-repo-results.sarif"
