Replace FOSSA with Trivy for license scan (#4646)

replicatedhq · Aug 31, 2023 · e24514a · e24514a
1 parent 499cbdb
commit e24514a
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 68 deletions.
diff --git a/.fossa.yml b/.fossa.yml
diff --git a/.github/workflows/fossa.yaml b/.github/workflows/fossa.yaml
diff --git a/.github/workflows/license.yaml b/.github/workflows/license.yaml
@@ -0,0 +1,42 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+env:
+  TRIVY_VERSION: 0.44.1
+
+name: License scan
+
+jobs:
+  license:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+
+      - name: Install Go deps
+        run: go mod download
+
+      - name: Install trivy
+        run: |
+          wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.deb
+          sudo dpkg -i trivy_${TRIVY_VERSION}_Linux-64bit.deb
+
+      - name: Create licence report artifact
+        run: trivy fs --scanners license --skip-dirs ".github" --skip-files "package-lock.json,bin/scan-images/package-lock.json" . | tee license-report.txt
+
+      - name: Upload licence report artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: license-report
+          path: license-report.txt
+
+      - name: Check for unknown licenses
+        run: trivy fs --scanners license --skip-dirs ".github" --skip-files "package-lock.json,bin/scan-images/package-lock.json" --exit-code 1 --severity UNKNOWN . || echo "::warning::Unknown licenses found, please verify"
+
+      - name: Check for forbidden licenses and fail
+        run: trivy fs --scanners license --skip-dirs ".github" --skip-files "package-lock.json,bin/scan-images/package-lock.json" --exit-code 1 --severity CRITICAL,HIGH .
diff --git a/.gitignore b/.gitignore
@@ -27,7 +27,3 @@ sbom/
 
 # ide 
 .vscode
-
-# FOSSA
-fossa.debug.*
-fossa.telemetry.*
diff --git a/README.md b/README.md
@@ -5,8 +5,6 @@
 
 # kURL
 
-[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B5995%2Fgithub.com%2Freplicatedhq%2Fkurl.svg?type=small)](https://app.fossa.com/projects/custom%2B5995%2Fgithub.com%2Freplicatedhq%2Fkurl?ref=badge_small)
-
 kURL is a Kubernetes installer for airgapped and online clusters.
 
 kURL relies on `kubeadm` to bring up the Kubernetes control plane, but there are a variety of tasks a system administrator must perform both before and after running kubeadm init in order to have a production-ready Kubernetes cluster, such as installing Docker, configuring Pod networking, or installing kubeadm itself.
-Original file line number
+Diff line change
@@ Expand Up / @@ -27,7 +27,3 @@ sbom/ @@
     # ide
     .vscode
-    # FOSSA
-    fossa.debug.*
-    fossa.telemetry.*