From e4782f88c899779894e6c2f847d48d9c527ce8c4 Mon Sep 17 00:00:00 2001
From: Ethan Soergel <esoergel@gmail.com>
Date: Wed, 2 Oct 2024 17:30:52 -0400
Subject: [PATCH] Add trivy config scanner

---
 .github/workflows/trivy.yml | 39 +++++++++++++++++++++++++++++++------
 1 file changed, 33 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index d7ae73e963..3483736e90 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -8,9 +8,9 @@ name: trivy
 on:
   # push:
   #   branches: [ "master" ]
-  # pull_request:
-  #   # The branches below must be a subset of the branches above
-  #   branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
   schedule:
     - cron: '35 6 * * 6'
 
@@ -18,7 +18,7 @@ permissions:
   contents: read
 
 jobs:
-  build:
+  build-trivy-fs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
@@ -35,10 +35,37 @@ jobs:
           scan-type: 'fs'
           ignore-unfixed: true
           format: 'sarif'
-          output: 'trivy-results.sarif'
+          output: 'trivy-fc-results.sarif'
           severity: 'CRITICAL'
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: 'trivy-fc-results.sarif'
+
+  build-trivy-config:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Build
+    runs-on: "ubuntu-20.04"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in IaC mode
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          scan-type: 'config'
+          hide-progress: true
+          format: 'sarif'
+          output: 'trivy-config-results.sarif'
+          exit-code: '0'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-config-results.sarif'