From d38e1d70c99904cd75fb17220f93f755b70acf2f Mon Sep 17 00:00:00 2001
From: Joe Previte <jjprevite@gmail.com>
Date: Thu, 3 Mar 2022 11:21:35 -0700
Subject: [PATCH 1/5] fix: re-enable trivvy docker scan


From 6869fdbfb3a6da31fd6e21b9e00e2a19e09d23aa Mon Sep 17 00:00:00 2001
From: Joe Previte <jjprevite@gmail.com>
Date: Thu, 3 Mar 2022 15:35:33 -0700
Subject: [PATCH 2/5] wip

---
 .github/workflows/ci.yaml           |  1 -
 .github/workflows/trivy-docker.yaml | 42 +++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/trivy-docker.yaml

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 81e0330adcb6..22ebdc2d2b33 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -464,7 +464,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
       - name: Run Trivy vulnerability scanner in repo mode
-        #Commit SHA for v0.0.17
         uses: aquasecurity/trivy-action@296212627a1e693efa09c00adc3e03b2ba8edf18
         with:
           scan-type: "fs"
diff --git a/.github/workflows/trivy-docker.yaml b/.github/workflows/trivy-docker.yaml
new file mode 100644
index 000000000000..5c004e17b3a8
--- /dev/null
+++ b/.github/workflows/trivy-docker.yaml
@@ -0,0 +1,42 @@
+name: Trivy Nightly Docker Scan
+
+on:
+# TODO@jsjoeio do some nightly check
+
+permissions:
+  actions: none
+  checks: none
+  contents: read
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes, and serialize builds in branches.
+# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  trivy-scan-image:
+    runs-on: ubuntu-20.04
+    needs: docker-amd64
+
+    steps:
+      - name: Run Trivy vulnerability scanner in image mode
+        uses: aquasecurity/trivy-action@296212627a1e693efa09c00adc3e03b2ba8edf18
+        with:
+          image-ref: 'docker.io/codercom/code-server:latest
+          ignore-unfixed: true
+          format: 'sarif'
+          output: "trivy-image-results.sarif"
+          severity: "HIGH,CRITICAL"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: "trivy-image-results.sarif"
\ No newline at end of file

From 737df7b938fb7d86bef0e8a490f300aaa47bed85 Mon Sep 17 00:00:00 2001
From: Joe Previte <jjprevite@gmail.com>
Date: Fri, 4 Mar 2022 15:23:42 -0700
Subject: [PATCH 3/5] fixup

---
 .github/workflows/trivy-docker.yaml | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/trivy-docker.yaml b/.github/workflows/trivy-docker.yaml
index 5c004e17b3a8..d609ad708bfc 100644
--- a/.github/workflows/trivy-docker.yaml
+++ b/.github/workflows/trivy-docker.yaml
@@ -1,7 +1,28 @@
 name: Trivy Nightly Docker Scan
 
 on:
-# TODO@jsjoeio do some nightly check
+  # Run scans if the workflow is modified, in order to test the
+  # workflow itself. This results in some spurious notifications,
+  # but seems okay for testing.
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/trivy-docker.yaml
+
+  # Run scans against master whenever changes are merged.
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/trivy-docker.yaml
+
+  schedule:
+    # Run at 10:15 am UTC (3:15am PT/5:15am CT)
+    # Run at 0 minutes 0 hours of every day.
+    - cron: "15 10 * * *"
+
+  workflow_dispatch:
 
 permissions:
   actions: none
@@ -30,13 +51,13 @@ jobs:
       - name: Run Trivy vulnerability scanner in image mode
         uses: aquasecurity/trivy-action@296212627a1e693efa09c00adc3e03b2ba8edf18
         with:
-          image-ref: 'docker.io/codercom/code-server:latest
+          image-ref: "docker.io/codercom/code-server:latest"
           ignore-unfixed: true
-          format: 'sarif'
+          format: "sarif"
           output: "trivy-image-results.sarif"
           severity: "HIGH,CRITICAL"
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v1
         with:
-          sarif_file: "trivy-image-results.sarif"
\ No newline at end of file
+          sarif_file: "trivy-image-results.sarif"

From 13eae44e43c46cfb959bc91effb4e1903b07c0ae Mon Sep 17 00:00:00 2001
From: Joe Previte <jjprevite@gmail.com>
Date: Fri, 4 Mar 2022 15:27:39 -0700
Subject: [PATCH 4/5] fixup

---
 .github/workflows/trivy-docker.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/trivy-docker.yaml b/.github/workflows/trivy-docker.yaml
index d609ad708bfc..978093664b61 100644
--- a/.github/workflows/trivy-docker.yaml
+++ b/.github/workflows/trivy-docker.yaml
@@ -45,7 +45,6 @@ concurrency:
 jobs:
   trivy-scan-image:
     runs-on: ubuntu-20.04
-    needs: docker-amd64
 
     steps:
       - name: Run Trivy vulnerability scanner in image mode

From b5ca8879318e0d6eb25cb4b3625b4b7ac5201d4e Mon Sep 17 00:00:00 2001
From: Joe Previte <jjprevite@gmail.com>
Date: Fri, 4 Mar 2022 15:29:48 -0700
Subject: [PATCH 5/5] fixup

---
 .github/workflows/trivy-docker.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/trivy-docker.yaml b/.github/workflows/trivy-docker.yaml
index 978093664b61..ae5c266659fd 100644
--- a/.github/workflows/trivy-docker.yaml
+++ b/.github/workflows/trivy-docker.yaml
@@ -47,6 +47,9 @@ jobs:
     runs-on: ubuntu-20.04
 
     steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
       - name: Run Trivy vulnerability scanner in image mode
         uses: aquasecurity/trivy-action@296212627a1e693efa09c00adc3e03b2ba8edf18
         with: