From 75a9419412589f3efff1c36bc6c4e557ffdead3f Mon Sep 17 00:00:00 2001
From: Guillaume Ross <guillaume@fleetdm.com>
Date: Mon, 31 Oct 2022 10:50:29 -0400
Subject: [PATCH] 8241 trivy ignore file action (#8345)

* Create .trivyignore

Adding original trivy ignore file. Working to resolve/document more of the findings, especially around go.mod. Will add a github action as well.

* Adding default trivy scan for testing

* Update trivy_scan.yml

Making it manual + daily for now

* Update trivy_scan.yml

updating name

* Renamed + configured Trivy scan
---
 .github/workflows/trivy_scan.yml | 29 +++++++++++++++++++++++++++++
 .trivyignore                     | 14 ++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 .github/workflows/trivy_scan.yml
 create mode 100644 .trivyignore

diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy_scan.yml
new file mode 100644
index 000000000..7c41d726d
--- /dev/null
+++ b/.github/workflows/trivy_scan.yml
@@ -0,0 +1,29 @@
+name: Trivy vulnerability scan
+on:
+  workflow_dispatch:
+  schedule:
+  - cron: '0 4 * * *' # Nightly 4AM UTC
+jobs:
+  build:
+    name: Trivy
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL'
+          skip-dirs: 'website/,tools/,infrastructure/,test/,orbit/pkg/insecure/'
+          trivyignores: '.trivyignore'
+          security-checks: 'vuln'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 000000000..a2f263d8f
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,14 @@
+# These AWS SDK CVEs do not impact Fleet as we do not use S3 client-side crypto features
+
+CVE-2020-8911
+CVE-2020-8912
+GHSA-7f33-f4f5-xwgw
+GHSA-f5pg-7wfw-84q9
+
+# Vulnerable code in trim is not used in Fleet
+
+CVE-2020-7753
+
+# We feel like the risk of DoS using this technique, which requires being logged in, is low probability and low impact, as such we will not update glob-parent only for this CVE
+
+CVE-2020-28469