From 6a57cd14da1e49bd63e24aeb43b7d937ae377ef6 Mon Sep 17 00:00:00 2001
From: Patrick Foley <psfoley@gmail.com>
Date: Fri, 8 Sep 2023 14:35:21 -0700
Subject: [PATCH] Initial scans commit for bandit, hadolint, trivy

---
 .github/workflows/scans.yml | 34 ++++++++++++++++++++++++++++++++++
 .github/workflows/trivy.yml | 29 +++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100644 .github/workflows/scans.yml
 create mode 100644 .github/workflows/trivy.yml

diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml
new file mode 100644
index 00000000000..7550d9b9c5a
--- /dev/null
+++ b/.github/workflows/scans.yml
@@ -0,0 +1,34 @@
+# This workflow will install Python dependencies, run tests and lint with a single version of Python
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+
+name: Lint with Flake8
+
+on:
+  pull_request:
+    branches: [ develop ]
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v3
+      with:
+        python-version: "3.8"
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install bandit 
+        pip install .
+    - name: Bandit Scan
+      run: |
+        bandit -r openfl
+    - name: Hadolint Dockerfile Scan
+      run: |
+        docker run --rm -i hadolint/hadolint < openfl-docker/Dockerfile.base
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
new file mode 100644
index 00000000000..9037d79139c
--- /dev/null
+++ b/.github/workflows/trivy.yml
@@ -0,0 +1,29 @@
+name: build
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/securefederatedai/openfl:${{ github.sha }} openfl-docker/Dockerfile.base
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'