From 0fc941fc2d04995efe1813a2fd3ff499e199053b Mon Sep 17 00:00:00 2001
From: Luke Heath <luke@fleetdm.com>
Date: Mon, 4 Mar 2024 15:29:32 -0600
Subject: [PATCH] Update Trivy vulnerability scan workflow (#17353)

---
 .github/workflows/trivy_scan.yml | 52 +++++++++++++++++++++++---------
 1 file changed, 38 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy_scan.yml
index cc31bb39cc..3aca1a1102 100644
--- a/.github/workflows/trivy_scan.yml
+++ b/.github/workflows/trivy_scan.yml
@@ -1,29 +1,53 @@
 name: Trivy vulnerability scan
 on:
+  push:
+    branches:
+      - main
+    paths:
+      - "**.tf"
+  pull_request:
+    paths:
+      - "**.tf"
   workflow_dispatch:
   schedule:
-  - cron: '0 4 * * *' # Nightly 4AM UTC
+    - cron: "0 4 * * *" # Nightly 4AM UTC
+
+# This allows a subsequently queued workflow run to interrupt previous runs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
+    shell: bash
+
+permissions:
+  contents: read
+
 jobs:
-  build:
-    name: Trivy
-    runs-on: ubuntu-20.04
+  trivy:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    name: Trivy sarif report
+    runs-on: ubuntu-latest
+
     steps:
       - name: Checkout code
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@8bd2f9fbda2109502356ff8a6a89da55b1ead252 # master
+        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0
         with:
-          scan-type: 'fs'
+          scan-type: "fs"
           ignore-unfixed: true
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL'
-          skip-dirs: 'website/,tools/,infrastructure/,test/,orbit/pkg/insecure/'
-          trivyignores: '.trivyignore'
-          security-checks: 'vuln'
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
+          trivyignores: ".trivyignore"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.2.5
+        uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: "trivy-results.sarif"