.github/workflows/vulnerability_scanning.yml

name: Workflow to scan vulnerability
on:
  workflow_call:
    inputs:
      docker_tags:
        type: string
        required: true
      runner:
        ## ['cn', 'us', 'cn1', 'cn2', 'cn3', 'us1', 'us2', 'us3', ' ubuntu-latest']
        type: string
        required: true
      trivyignores:
        type: string
        required: false
        default: ""


jobs:
  scanning:
    name: vulnerability scanning
    runs-on: ${{ inputs.runner }}
    timeout-minutes: 20

    steps:

      - id: trivy-db
        name: Check trivy db sha
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
          headers='Accept: application/vnd.github+json'
          jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
          sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
          echo "Trivy DB sha256:${sha}"
          echo "::set-output name=sha::${sha}"

      - uses: actions/cache@v3
        with:
          path: .trivy
          key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db.outputs.sha }}

      # TODO : add global trivy ignore

      - name: Run Trivy vulnerability scanner in image mode
        uses: aquasecurity/trivy-action@master
        with:
          # image-ref: ${{ secrets.REGISTRY }}/${{ inputs.project }}/${{ inputs.component }}:${{ inputs.docker_image_version }}
          image-ref: ${{ inputs.docker_tags }}
          format: 'table'
          exit-code: '1'
          hide-progress: true
          ignore-unfixed: true
          cache-dir: .trivy
          # vuln-type: 'os,library'
          trivyignores: '${{ inputs.trivyignores }}'
          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
        
      - name: Fix .trivy permissions
        if: always()
        run: sudo chown -R $(stat . -c %u:%g) .trivy

      - name: clean local docker images after scanning.
        if: always()
        run: |
          docker rmi -f $(docker images --filter="reference=${{ inputs.docker_tags }}" --quiet)