Reject pull requests that change imported licenses

We import dependencies that use a handful of open-source licenses. We want to be intentional about any change to these licenses, so this automation flags pull requests that do so. Go modules are immutable, so checking during pull requests and pushes should suffice. Issue: PGO-1556
CrunchyData · Sep 17, 2024 · df009c0 · df009c0
1 parent 91398e4
commit df009c0
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 8 deletions.
diff --git a/.github/workflows/trivy-pr-scan.yaml → .github/workflows/trivy.yaml b/.github/workflows/trivy-pr-scan.yaml → .github/workflows/trivy.yaml
@@ -1,5 +1,3 @@
-# Uses Trivy to scan every pull request, rejecting those with severe, fixable vulnerabilities.
-# Scans on PR to master and weekly with same behavior.
 name: Trivy
 
 on:
@@ -11,7 +9,20 @@ on:
       - master
 
 jobs:
-  scan:
+  licenses:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      # Report success only when detected licenses are listed in [/trivy.yaml].
+      - uses: aquasecurity/trivy-action@v0
+        with:
+          exit-code: 1
+          scan-type: filesystem
+          scanners: license
+          severity: UNKNOWN
+
+  vulnerabilities:
     if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
 
     permissions:
@@ -28,23 +39,25 @@ jobs:
       # and is a convenience/redundant effort for those who prefer to
       # read logs and/or if anything goes wrong with the upload.
       - name: Log all detected vulnerabilities
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@v0
         with:
-          scan-type: fs
+          scan-type: filesystem
           hide-progress: true
           ignore-unfixed: true
-
+          scanners: secret,vuln
+
       # Upload actionable results to the GitHub Security tab.
       # Pull request checks fail according to repository settings.
       # - https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
       # - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning
       - name: Report actionable vulnerabilities
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@v0
         with:
-          scan-type: fs
+          scan-type: filesystem
           ignore-unfixed: true
           format: 'sarif'
           output: 'trivy-results.sarif'
+          scanners: secret,vuln
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3

diff --git a/trivy.yaml b/trivy.yaml
@@ -0,0 +1,13 @@
+---
+# Specify an exact list of recognized and acceptable licenses.
+# [A GitHub workflow](/.github/workflows/trivy.yaml) rejects pull requests that
+# import licenses not in this list.
+#
+# https://aquasecurity.github.io/trivy/latest/docs/scanner/license/
+license:
+  notice:
+    #- Apache-2.0
+    - BSD-2-Clause
+    - BSD-3-Clause
+    - ISC
+    - MIT