From 9a2aaed1c4ca7d638a5deaf236b0bfecbbac50a9 Mon Sep 17 00:00:00 2001
From: Fran Mulero <fmulero@vmware.com>
Date: Tue, 21 Jun 2022 10:49:37 +0200
Subject: [PATCH] [containers/*] Trivy verification (#8)

* Add trivy verification phase to the pipeline
* Fix branches in pull_request_target event

Signed-off-by: Fran Mulero <fmulero@vmware.com>
---
 .github/workflows/vib-verify.yaml |  4 ++--
 .vib/vib-scheduled-verify.json    | 33 ++++++++++++++++++++++++-------
 .vib/vib-verify.json              | 33 ++++++++++++++++++++++++-------
 3 files changed, 54 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/vib-verify.yaml b/.github/workflows/vib-verify.yaml
index b6e81586fc62..03f80348b1c3 100644
--- a/.github/workflows/vib-verify.yaml
+++ b/.github/workflows/vib-verify.yaml
@@ -7,8 +7,8 @@ on: # rebuild any PRs and main branch changes
       - synchronize
       - labeled
     branches:
-      - master
-      - bitnami:master
+      - main
+      - bitnami:main
 env:
   CSP_API_URL: https://console.cloud.vmware.com
   CSP_API_TOKEN: ${{ secrets.CSP_API_TOKEN }}
diff --git a/.vib/vib-scheduled-verify.json b/.vib/vib-scheduled-verify.json
index ce608629773c..174e51905e88 100644
--- a/.vib/vib-scheduled-verify.json
+++ b/.vib/vib-scheduled-verify.json
@@ -1,12 +1,12 @@
 {
+  "context": {
+    "resources": {
+      "url": "{VIB_ENV_URL}",
+      "path": "{VIB_ENV_PATH}"
+    }
+  },
   "phases": {
     "package": {
-      "context": {
-        "resources": {
-          "url": "{VIB_ENV_URL}",
-          "path": "{VIB_ENV_PATH}"
-        }
-      },
       "actions": [
         {
           "action_id": "container-image-package",
@@ -20,7 +20,26 @@
           }
         },
         {
-          "action_id": "container-image-lint"
+          "action_id": "container-image-lint",
+          "params": {
+            "threshold": "warning"
+          }
+        }
+      ]
+    },
+    "verify": {
+      "actions": [
+        {
+          "action_id": "trivy",
+          "params": {
+            "threshold": "CRITICAL",
+            "vuln_type": [
+              "OS"
+            ],
+            "application": {
+              "kind": "CONTAINER_IMAGE"
+            }
+          }
         }
       ]
     }
diff --git a/.vib/vib-verify.json b/.vib/vib-verify.json
index 5b661a56c772..233c97e795c6 100644
--- a/.vib/vib-verify.json
+++ b/.vib/vib-verify.json
@@ -1,12 +1,12 @@
 {
+  "context": {
+    "resources": {
+      "url": "{SHA_ARCHIVE}",
+      "path": "{VIB_ENV_PATH}"
+    }
+  },
   "phases": {
     "package": {
-      "context": {
-        "resources": {
-          "url": "{SHA_ARCHIVE}",
-          "path": "{VIB_ENV_PATH}"
-        }
-      },
       "actions": [
         {
           "action_id": "container-image-package",
@@ -20,7 +20,26 @@
           }
         },
         {
-          "action_id": "container-image-lint"
+          "action_id": "container-image-lint",
+          "params": {
+            "threshold": "warning"
+          }
+        }
+      ]
+    },
+    "verify": {
+      "actions": [
+        {
+          "action_id": "trivy",
+          "params": {
+            "threshold": "CRITICAL",
+            "vuln_type": [
+              "OS"
+            ],
+            "application": {
+              "kind": "CONTAINER_IMAGE"
+            }
+          }
         }
       ]
     }