From 1787c1f16f3048a556aef2f124d33b8e6c83542d Mon Sep 17 00:00:00 2001
From: Robert Waffen <rwaffen@gmail.com>
Date: Fri, 29 Nov 2024 09:04:48 +0100
Subject: [PATCH 1/2] feat(ci): switch from trivy to grype

---
 .github/workflows/security_scanning.yml | 43 +++++++++++++++++++++++++
 .github/workflows/trivy-analysis.yml    | 42 ------------------------
 2 files changed, 43 insertions(+), 42 deletions(-)
 create mode 100644 .github/workflows/security_scanning.yml
 delete mode 100644 .github/workflows/trivy-analysis.yml

diff --git a/.github/workflows/security_scanning.yml b/.github/workflows/security_scanning.yml
new file mode 100644
index 00000000..f8fc12fa
--- /dev/null
+++ b/.github/workflows/security_scanning.yml
@@ -0,0 +1,43 @@
+---
+name: Security Scanning 🕵️
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  scan_ci_container:
+    name: 'Scan CI container'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Build CI container
+        uses: docker/build-push-action@v6
+        with:
+          tags: 'ci/puppetboard:${{ github.sha }}'
+          push: false
+
+      - name: Scan image with Anchore Grype
+        uses: anchore/scan-action@v5
+        id: scan
+        with:
+          image: 'ci/puppetboard:${{ github.sha }}'
+          fail-build: false
+
+      - name: Inspect action SARIF report
+        run: jq . ${{ steps.scan.outputs.sarif }}
+
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/.github/workflows/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml
deleted file mode 100644
index 1f7e9f43..00000000
--- a/.github/workflows/trivy-analysis.yml
+++ /dev/null
@@ -1,42 +0,0 @@
----
-name: Trivy
-
-on:
-  push:
-    branches:
-      - master
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches:
-      - master
-
-jobs:
-  analyze:
-    name: 'Analyze'
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Build Docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          tags: 'ci/puppetboard:${{ github.sha }}'
-          push: false
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'ci/puppetboard:${{ github.sha }}'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'

From 7103f6f97a8fff342b8cc26824dfb4df338f22f6 Mon Sep 17 00:00:00 2001
From: Robert Waffen <rwaffen@gmail.com>
Date: Fri, 29 Nov 2024 09:08:36 +0100
Subject: [PATCH 2/2] fix(ci): also scan master branch

---
 .github/workflows/security_scanning.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/security_scanning.yml b/.github/workflows/security_scanning.yml
index f8fc12fa..69e0c4de 100644
--- a/.github/workflows/security_scanning.yml
+++ b/.github/workflows/security_scanning.yml
@@ -5,9 +5,11 @@ on:
   push:
     branches:
       - main
+      - master
   pull_request:
     branches:
       - main
+      - master
 
 jobs:
   scan_ci_container: