From c591461fdefd87a58fdb4c220d8d3ca4c193081f Mon Sep 17 00:00:00 2001
From: nicolargo <nicolas@nicolargo.com>
Date: Sun, 10 Mar 2024 19:55:02 +0100
Subject: Add Cyber scan (Trivy) github action

---
 .github/workflows/build.yml   |  8 +-------
 .github/workflows/ci.yml      |  7 +++++--
 .github/workflows/cyber.yml   | 28 ++++++++++++++++++++++++++++
 .github/workflows/quality.yml | 18 ------------------
 .github/workflows/test.yml    | 13 +------------
 .github/workflows/webui.yml   |  7 -------
 6 files changed, 35 insertions(+), 46 deletions(-)
 create mode 100644 .github/workflows/cyber.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b5e4964a..36fc816f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,6 +1,6 @@
 # This pipeline aims at building Glances for the following targets:
-# - Docker Hub
 # - Pypi
+# - Docker Hub
 
 name: build
 
@@ -27,12 +27,6 @@ on:
       DOCKER_TOKEN:
         description: 'Docker Hub token'
         required: true
-  # pull_request:
-  #   branches: [ develop ]
-  # push:
-  #   branches: [ master, develop ]
-  #   tags:
-  #     - v*
 
 jobs:
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index db1bad14..9116e0fd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,11 +13,14 @@ jobs:
       uses: ./.github/workflows/quality.yml
     test:
       uses: ./.github/workflows/test.yml
-      needs: quality
+      needs: [quality]
     webui:
       if: ${{ always() }}
       uses: ./.github/workflows/webui.yml
       needs: [quality, test]
+    cyber:
+      uses: ./.github/workflows/cyber.yml
+      needs: [quality, test, webui]
     build:
       uses: ./.github/workflows/build.yml
       secrets:
@@ -25,4 +28,4 @@ jobs:
         PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
         DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-      needs: [quality, test, webui]
+      needs: [quality, test, webui, cyber]
diff --git a/.github/workflows/cyber.yml b/.github/workflows/cyber.yml
new file mode 100644
index 00000000..27a2c9b7
--- /dev/null
+++ b/.github/workflows/cyber.yml
@@ -0,0 +1,28 @@
+name: cyber
+
+on:
+    workflow_call:
+
+jobs:
+  trivy:
+    name: Trivy scan
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml
index 124c910f..6d0df601 100644
--- a/.github/workflows/quality.yml
+++ b/.github/workflows/quality.yml
@@ -1,25 +1,7 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
 name: quality
 
 on:
   workflow_call:
-  # push:
-  #   branches: [ develop ]
-  # pull_request:
-  #   # The branches below must be a subset of the branches above
-  #   branches: [ develop ]
-  # schedule:
-  #   - cron: '20 20 * * 0'
 
 jobs:
   analyze:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 7d27de8c..6599a1cf 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,8 +1,7 @@
-# Run unitary test + flake8
+# Run unitary test
 
 name: test
 
-# on: [push]
 on:
   workflow_call:
 
@@ -36,9 +35,6 @@ jobs:
         # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
         flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics --exclude=.git,./docs,./glances/outputs/static
 
-    # - name: Lint with Ruff
-    #   uses: chartboost/ruff-action@v1
-
     - name: Static type check
       run: |
         if [ "${{ matrix.python-version }}" == "2.7" ];
@@ -54,13 +50,6 @@ jobs:
       run: |
         python ./unitest.py
 
-    - name: Security issues with Bandit
-      uses: jpetrucciani/bandit-check@master
-      with:
-        #path: '-r --exit-zero --skip B104 ./glances/'
-        path: '-r --exit-zero --skip B104 ./glances/'
-
-
   test-windows:
 
     runs-on: windows-latest
diff --git a/.github/workflows/webui.yml b/.github/workflows/webui.yml
index 2135ffb2..077b0b81 100644
--- a/.github/workflows/webui.yml
+++ b/.github/workflows/webui.yml
@@ -1,14 +1,7 @@
-# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs
-
 name: webui
 
 on:
   workflow_call:
-  # push:
-  #   branches: [ "develop" ]
-  # pull_request:
-  #   branches: [ "develop" ]
 
 jobs:
   build:
-- 
cgit v1.2.3