From 8085dbab24c628ad2b85ff32cdd9e80554ee6530 Mon Sep 17 00:00:00 2001
From: RichardWhellum <rwhellum@deakin.edu.au>
Date: Sun, 1 Dec 2024 20:33:03 +1100
Subject: [PATCH 1/2] Trivy repo scan to secuirty tab & reviewdog comment on PR

---
 .github/workflows/Trivy-Reviewdog-scan.yml | 72 ++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 .github/workflows/Trivy-Reviewdog-scan.yml

diff --git a/.github/workflows/Trivy-Reviewdog-scan.yml b/.github/workflows/Trivy-Reviewdog-scan.yml
new file mode 100644
index 0000000..3b04f52
--- /dev/null
+++ b/.github/workflows/Trivy-Reviewdog-scan.yml
@@ -0,0 +1,72 @@
+name: build
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  trivy-repo-scan:
+    name: Trivy Repo Scan & Upload to Security Tab
+    runs-on: ubuntu-20.04
+    permissions:
+        contents: write
+        security-events: write
+
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  reviewdog-pr-check:
+    name: Trivy PR Check
+    runs-on: ubuntu-latest
+    needs: trivy-repo-scan
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get Changed Files
+        id: changed-files
+        run: |
+            git fetch origin main
+            git diff --name-only origin/main > changed-files.txt
+        
+      - name: Print Changed Files
+        run: |
+            echo "Changed files:"
+            cat changed-files.txt
+
+      - name: Run Trivy on Changed Files
+        if: success()
+        run: |
+            mkdir trivy-results
+            while read -r file; do
+                echo "Scanning $file..."
+                trivy fs --quiet --severity HIGH,CRITICAL --format json --output trivy-results/$(basename $file).json "$file" || true
+            done < changed-files.txt
+
+      - name: Run Reviewdog
+        uses: reviewdog/action-trivy@v1
+        with:
+            github_token: ${{ secrets.GITHUB_TOKEN }}
+            trivy_command: fs
+            trivy_target: ./trivy-results
+            reporter: github-pr-review
+            level: warning
+            fail_on_error: false
\ No newline at end of file

From 01c6e6feacb40e41e6f360646008d244716eca92 Mon Sep 17 00:00:00 2001
From: RichardWhellum <rwhellum@deakin.edu.au>
Date: Sun, 1 Dec 2024 20:35:48 +1100
Subject: [PATCH 2/2] Add dodgy dependencies to requirements.txt

---
 requirements.txt | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index af37a2d..02f7ed8 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1 +1,3 @@
-bandit==1.7.5
\ No newline at end of file
+bandit==1.7.5
+flask==0.12.3  # Known vulnerabilities in Flask 0.12.x
+requests==2.18.4  # SSL issues in older Requests versions
\ No newline at end of file