From e18da7094450c98fbfe6a9dd29430e71d8bbdccb Mon Sep 17 00:00:00 2001
From: Szilard Parrag <szilard.parrag@axoflow.com>
Date: Wed, 14 Feb 2024 09:53:26 +0100
Subject: [PATCH 1/2] feat(ci): add trivy image scan

Signed-off-by: Szilard Parrag <szilard.parrag@axoflow.com>
---
 .github/workflows/release.yaml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index bae3a1d9..471b35d4 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,6 +10,7 @@ jobs:
       id-token: write
       packages: write
       contents: write
+      security-events: write
 
     strategy:
       matrix:
@@ -49,6 +50,7 @@ jobs:
           echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
 
       - uses: goreleaser/goreleaser-action@v5
+        id: goreleaser-action
         with:
           distribution: goreleaser
           version: v1.24.0
@@ -62,3 +64,33 @@ jobs:
         with:
           name: all-artifacts
           path: dist/*/*
+
+      - name: Install jq
+        run: sudo apt-get install -y jq
+
+      - name: Extract Docker image with digest
+        id: image-with-digest
+        shell: bash
+        run: |
+         echo '${{ steps.goreleaser-action.outputs.artifacts }}' >> output-artifacts.json
+         DOCKER_IMAGE=$(jq -r '.[] | select(.type == "Docker Manifest" and (.path | test(":[0-9]+"))) | "\(.path)@\(.extra.Digest)"' ./output-artifacts.json)
+         echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT"
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.17.0
+        with:
+          image-ref: ${{ steps.image-with-digest.outputs.DOCKER_IMAGE }}
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: "[${{ github.job }}] Trivy scan results"
+          path: trivy-results.sarif
+          retention-days: 5
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif

From b70f9cc2fa6fe8c94230afed2a3172cbc7983d29 Mon Sep 17 00:00:00 2001
From: Szilard Parrag <szilard.parrag@axoflow.com>
Date: Wed, 14 Feb 2024 15:47:32 +0100
Subject: [PATCH 2/2] fix(goreleaser generator): remove commented out nfpms
 option

Signed-off-by: Szilard Parrag <szilard.parrag@axoflow.com>
---
 cmd/goreleaser/internal/configure.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/cmd/goreleaser/internal/configure.go b/cmd/goreleaser/internal/configure.go
index 3af8a7ff..c261d145 100644
--- a/cmd/goreleaser/internal/configure.go
+++ b/cmd/goreleaser/internal/configure.go
@@ -43,9 +43,8 @@ func Generate(imagePrefixes []string, dists []string) config.Project {
 			NameTemplate: "{{ .ProjectName }}_checksums.txt",
 		},
 
-		Builds:   Builds(dists),
-		Archives: Archives(dists),
-		//NFPMs:           Packages(dists),
+		Builds:          Builds(dists),
+		Archives:        Archives(dists),
 		Dockers:         DockerImages(imagePrefixes, dists),
 		DockerManifests: DockerManifests(imagePrefixes, dists),
 	}