.github/workflows/trivy-scan.yml

name: Trivy Vulnerability Scan

on:
  pull_request:
    branches:
      - develop
      - master

  workflow_dispatch:  # Allows manual runs from the GitHub UI

jobs:
  trivy-scan:
    runs-on: ubuntu-latest
      

    steps:
    # Checkout the pull request code
    - name: Checkout code
      uses: actions/checkout@v4

    # Set up Java 17
    - name: Set up Java 17
      uses: actions/setup-java@v4
      with:
        java-version: '17'
        distribution: 'temurin' # Use Eclipse Temurin distribution for Java

    # Install Trivy if not cached
    - name: Install Trivy
      run: |
        TRIVY_LATEST_VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | jq -r .tag_name)
        wget https://github.com/aquasecurity/trivy/releases/download/${TRIVY_LATEST_VERSION}/trivy_${TRIVY_LATEST_VERSION#v}_Linux-64bit.deb
        sudo dpkg -i trivy_${TRIVY_LATEST_VERSION#v}_Linux-64bit.deb
    
    # Run Trivy to scan the repository or container image
    - name: Run Trivy scan
      id: trivy-scan
      run: |
        ./gradlew dependencies --write-locks
        trivy fs gradle.lockfile --format json --output trivy_report.json --severity HIGH,CRITICAL
        /bin/rm -rf gradle/dependency-locks
        /bin/rm gradle.lockfile
      env:
        TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
        TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db

    # Check for high or critical vulnerabilities
    - name: Check vulnerabilities
      id: check-vulns
      run: |
        vuln_count=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH" or .Severity == "CRITICAL")] | length' trivy_report.json)
        echo "Vulnerability count: $vuln_count"
        if [ "$vuln_count" -gt 0 ]; then
          echo "High or Critical vulnerabilities found!"
          exit 1
        else
          echo "No high or critical vulnerabilities found."
        fi
    
    # Output the vulnerabilities in a human-readable format
    - name: Output vulnerabilities
      if: failure()  # Run only if the previous step fails
      run: |
        jq '.Results[]?.Vulnerabilities[] | select(.Severity == "HIGH" or .Severity == "CRITICAL") | "\(.VulnerabilityID): \(.PkgName) - Severity: \(.Severity) - Fixed Version: \(.FixedVersion)"' trivy_report.json