From bc970500fbf3844e283ab4efe16064e7f33feaa1 Mon Sep 17 00:00:00 2001
From: tawoe <weserwueter@posteo.de>
Date: Wed, 1 Feb 2023 09:48:30 +0100
Subject: [PATCH] actions: separate trivy

---
 .github/workflows/build_package.yml | 32 ------------------
 .github/workflows/run_trivy.yml     | 51 +++++++++++++++++++++++++++++
 .gitignore                          |  1 +
 3 files changed, 52 insertions(+), 32 deletions(-)
 create mode 100644 .github/workflows/run_trivy.yml

diff --git a/.github/workflows/build_package.yml b/.github/workflows/build_package.yml
index 4f37556a7..cdbc4ecc7 100644
--- a/.github/workflows/build_package.yml
+++ b/.github/workflows/build_package.yml
@@ -67,38 +67,6 @@ jobs:
           docker build . --file .github/Dockerfile_PreBuild_OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:$GITHUB_SHA-OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:latest-OC --tag docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:develop-OC
           docker push docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }} --all-tags
           echo docker done
-      - id: trivy-db
-        name: Check trivy db sha
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
-          headers='Accept: application/vnd.github+json'
-          jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
-          sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
-          echo "Trivy DB sha256:${sha}"
-          echo "::set-output name=sha::${sha}"
-      - uses: actions/cache@v3
-        with:
-          path: .trivy
-          key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db.outputs.sha }}
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ github.sha }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-          security-checks: 'vuln'
-          severity: 'CRITICAL,HIGH'
-          timeout: '30m'
-          cache-dir: .trivy
-      - name: Fix .trivy permissions
-        run: sudo chown -R $(stat . -c %u:%g) .trivy
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: 'trivy-results.sarif'
 
       - uses: sigstore/cosign-installer@main
 
diff --git a/.github/workflows/run_trivy.yml b/.github/workflows/run_trivy.yml
new file mode 100644
index 000000000..4ee41a7bb
--- /dev/null
+++ b/.github/workflows/run_trivy.yml
@@ -0,0 +1,51 @@
+name: build and publish container
+
+on:
+  workflow_run:
+    workflows: ["build and publish container"]
+    types:
+      - completed
+env:
+  ## Sets environment variable
+  DOCKER_HUB_ORGANIZATION: openbankproject
+  DOCKER_HUB_REPOSITORY: obp-api
+
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+      - id: trivy-db
+        name: Check trivy db sha
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
+          headers='Accept: application/vnd.github+json'
+          jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
+          sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
+          echo "Trivy DB sha256:${sha}"
+          echo "::set-output name=sha::${sha}"
+      - uses: actions/cache@v3
+        with:
+          path: .trivy
+          key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db.outputs.sha }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ github.sha }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          security-checks: 'vuln'
+          severity: 'CRITICAL,HIGH'
+          timeout: '30m'
+          cache-dir: .trivy
+      - name: Fix .trivy permissions
+        run: sudo chown -R $(stat . -c %u:%g) .trivy
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index 64c4fc0ff..eeb1c2624 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,3 +22,4 @@ obp-api/src/main/scala/code/api/v3_0_0/custom/
 /obp-commons/src/main/resources/git.properties
 /obp-api2/
 /.java-version
+.scannerwork