Upload trivy results to Github

.github/workflows/trivy.yml

@@ -119,4 +119,4 @@ jobs:
         with:
           image-ref: 'pulsar-functions-pulsarctl-go-runner:latest'
           format: 'table'
-          exit-code: '0'
+          exit-code: '0'

.github/workflows/trivy_scheduled_master.yml

@@ -0,0 +1,166 @@
+name: Scheduled master branch scan security vulnerabilities
+on:
+  pull_request:
+    branches:
+      - 'master'
+    paths-ignore:
+      - 'docs/**'
+      - 'README.md'
+      - 'CHANGELOG.md'
+      - 'PROJECT'
+      - 'LICENSE'
+      - 'mesh-worker-service/README.md'
+      - 'tools/README.md'
+  schedule:
+    - cron: '0 0 * * *'
+
+permissions:
+  pull-requests: write
+  issues: write
+  # For Trivy uploads to Github Security tab
+  # required for all workflows
+  security-events: write
+  # only required for workflows in private repositories
+  actions: read
+  contents: read
+
+jobs:
+  build:
+    name: Scan
+    permissions:
+      pull-requests: write
+      issues: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          repository: ${{github.event.pull_request.head.repo.full_name}}
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Set up GO 1.22.3
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.22.3
+        id: go
+
+      - name: InstallKubebuilder
+        run: |
+          curl -L https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_linux_amd64.tar.gz | tar -xz -C /tmp/
+          sudo mv /tmp/kubebuilder_2.3.1_linux_amd64 /usr/local/kubebuilder
+          export PATH=$PATH:/usr/local/kubebuilder/bin
+
+      - name: Install operator-sdk
+        run: |
+          RELEASE_VERSION=v1.14.0
+          curl -LO "https://github.com/operator-framework/operator-sdk/releases/download/${RELEASE_VERSION}/operator-sdk_linux_amd64"
+          chmod +x operator-sdk_linux_amd64 && sudo mkdir -p /usr/local/bin/ && sudo mv operator-sdk_linux_amd64 /usr/local/bin/operator-sdk
+
+      - name: Set up yq
+        run: |
+          sudo wget https://github.com/mikefarah/yq/releases/download/v4.30.4/yq_linux_amd64 -O /usr/bin/yq
+          sudo chmod +x /usr/bin/yq
+          yq --help
+
+      - name: Build operator image
+        run: |
+          make generate
+          make helm-crds
+          image="function-mesh-operator:latest"
+          IMG=${image} make docker-build-skip-test
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'function-mesh-operator:latest'
+          format: 'table'
+          exit-code: '1'
+
+      - name: Build runner images
+        run: |
+          PULSAR_IMAGE_TAG=3.2.2.6 PULSAR_IMAGE=streamnative/sn-platform KIND_PUSH=false images/build.sh
+
+      - name: Run Trivy vulnerability scanner for java
+        id: scan-java-runner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'pulsar-functions-java-runner:latest'
+          format: 'table'
+          exit-code: '0'
+
+      - name: Run Trivy vulnerability scanner for python
+        id: scan-python-runner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'pulsar-functions-python-runner:latest'
+          format: 'table'
+          exit-code: '0'
+
+      - name: Run Trivy vulnerability scanner for go
+        id: scan-go-runner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'pulsar-functions-go-runner:latest'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results-go.sarif'
+          severity: 'LOW,MEDIUM,HIGH,CRITICAL'
+          exit-code: '0'
+
+      - name: Run Trivy vulnerability scanner for java with pulsarctl
+        id: scan-java-pulsarctl-runner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'pulsar-functions-pulsarctl-java-runner:latest'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'LOW,MEDIUM,HIGH,CRITICAL'
+          exit-code: '0'
+
+      - name: Run Trivy vulnerability scanner for python with pulsarctl
+        id: scan-python-pulsarctl-runner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'pulsar-functions-pulsarctl-python-runner:latest'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results-python.sarif'
+          severity: 'LOW,MEDIUM,HIGH,CRITICAL'
+          exit-code: '0'
+
+      - name: Run Trivy vulnerability scanner for go with pulsarctl
+        id: scan-go-pulsarctl-runner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'pulsar-functions-pulsarctl-go-runner:latest'
+          format: 'template'
+          exit-code: '0'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results-pulsarctl.sarif'
+          severity: 'LOW,MEDIUM,HIGH,CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: 'Default'
+
+      - name: Upload Trivy go scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results-go.sarif'
+          category: 'Golang'
+
+      - name: Upload Trivy pulsarctl scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results-pulsarctl.sarif'
+          category: 'Pulsarctl'
+
+      - name: Upload Trivy python scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results-python.sarif'
+          category: 'Python'