From eff76cf9f18d3db4cfbb7113838fd73bfbf53bd8 Mon Sep 17 00:00:00 2001
From: Andreas Salhus Bakseter <141913422+baksetercx@users.noreply.github.com>
Date: Thu, 25 Apr 2024 10:01:12 +0200
Subject: [PATCH] Verify Trivy install

---
 trivy-iac-scan/action.yml | 46 ++++++++++++++++++++++++++++++++++++---
 1 file changed, 43 insertions(+), 3 deletions(-)

diff --git a/trivy-iac-scan/action.yml b/trivy-iac-scan/action.yml
index 6fab123..66e1f0b 100644
--- a/trivy-iac-scan/action.yml
+++ b/trivy-iac-scan/action.yml
@@ -52,16 +52,56 @@ runs:
         # Add default set of CVE's to ignore
         echo "AVD-DS-0026" >> '${{ inputs.trivyignore }}'
 
+    - name: Install cosign
+      uses: sigstore/cosign-installer@v3.5.0
+
     - name: Install Trivy
       shell: bash
       run: |
         # Install Trivy
+        local trivy_tarball="trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
+        local trivy_checksums="trivy_${TRIVY_VERSION}_checksums.txt"
+
+        local trivy_tmp
         trivy_tmp="$(mktemp -d)"
         cd "$trivy_tmp"
-        trivy_tarball="trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
-        wget -q "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/$trivy_tarball" # TODO: verify checksum & signature
+
+        printf "Downloading Trivy v%s...\n" "$TRIVY_VERSION"
+        wget -q "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/$trivy_tarball"
+        wget -q "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/$trivy_tarball.sig"
+        wget -q "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/$trivy_tarball.pem"
+        printf "Done.\n\n"
+
+        printf "Verifying signature...\n"
+        cosign verify-blob "$trivy_tarball" \
+            --certificate "$trivy_tarball.pem" \
+            --signature "$trivy_tarball.sig" \
+            --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+        printf "Done.\n\n"
+
+        printf "Downloading checksums...\n"
+        wget -q "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/$trivy_checksums"
+        wget -q "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/$trivy_checksums.sig"
+        wget -q "https://github.com/aquasecurity/trivy/releases/download/v$TRIVY_VERSION/$trivy_checksums.pem"
+        printf "Done.\n\n"
+
+        printf "Verifying checksums signature...\n"
+        cosign verify-blob "$trivy_checksums" \
+            --certificate "$trivy_checksums.pem" \
+            --signature "$trivy_checksums.sig" \
+            --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+        printf "Done.\n\n"
+
+        printf "Verifying checksums...\n"
+        echo "$(cat $trivy_checksums | grep $trivy_tarball)" | sha256sum -c
+        printf "Done.\n\n"
+
+        printf "Installing Trivy v%s...\n" "$TRIVY_VERSION"
         tar -xzf "$trivy_tarball"
-        chmod +x trivy && mv trivy /usr/local/bin
+        sudo install -m 755 trivy /usr/local/bin
+        printf "Done.\n\n"
       env:
         TRIVY_VERSION: '0.50.4'