Use Trivy more effectively

.devcontainer/Dockerfile

@@ -7,19 +7,19 @@ ARG NODE_VERSION="none"
 RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"; fi
 
 RUN export DEBIAN_FRONTEND=noninteractive \
-    && curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg \
+    && curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg \
     &&  curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor > /usr/share/keyrings/yarn-archive-keyring.gpg \
     && apt-get install apt-transport-https --yes \
-    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list \
     && apt-get update \
-    && apt-get -y install --no-install-recommends \
+    && apt-get install --yes --no-install-recommends \
         bash-completion \
         helm \
         uuid-runtime
 
 # Install cockroachdb so we have the client
 RUN curl https://binaries.cockroachdb.com/cockroach-v22.1.8.linux-amd64.tgz | tar -xz \
-    && sudo cp -i cockroach-v22.1.8.linux-amd64/cockroach /usr/local/bin/ \
+    && cp -i cockroach-v22.1.8.linux-amd64/cockroach /usr/local/bin/ \
     && rm -rf cockroach-v*
 
 USER vscode

.github/workflows/image-build.yaml

@@ -15,14 +15,25 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
 
+      - name: Scan repo
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln,secret'
+          ignore-unfixed: true
+          severity: 'HIGH,CRITICAL'
+          format: 'table'
+          exit-code: '1'
+
       - name: Registry login
         uses: docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Docker metadata
+      - name: Get Docker metadata
         id: metadata
         uses: docker/metadata-action@v4
         with:
@@ -40,14 +51,15 @@ jobs:
           load: true
           tags: ${{ steps.metadata.outputs.tags }}
 
-      - name: Run Trivy vulnerability scanner
+      - name: Scan image
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: ghcr.io/infratographer/permissions-api/permissions-api:latest
-          scanners: 'vuln,config,secret'
+          image-ref: ghcr.io/infratographer/permissions-api:latest
+          scanners: 'vuln,secret'
           ignore-unfixed: true
           severity: 'HIGH,CRITICAL'
           format: 'table'
+          exit-code: '1'
 
       - name: Push
         uses: docker/build-push-action@v4

.github/workflows/security.yaml

@@ -0,0 +1,67 @@
+name: Trivy Scan
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  image-scan:
+    name: image-scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Registry login
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker metadata
+        id: metadata
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=sha
+
+      - name: Build
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          push: false
+          load: true
+          tags: ${{ steps.metadata.outputs.tags }}
+
+      - name: Scan image
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.metadata.outputs.tags }}
+          scanners: 'vuln,secret'
+          ignore-unfixed: true
+          severity: 'HIGH,CRITICAL'
+          format: 'table'
+          exit-code: '1'
+
+  repo-scan:
+    name: repo-scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Scan repo
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln,secret'
+          ignore-unfixed: true
+          severity: 'HIGH,CRITICAL'
+          format: 'table'
+          exit-code: '1'

.github/workflows/test.yaml

@@ -72,12 +72,3 @@ jobs:
           push: false
           load: true
           tags: ${{ steps.metadata.outputs.tags }}
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ steps.metadata.outputs.tags }}
-          scanners: 'vuln,config,secret'
-          ignore-unfixed: true
-          severity: 'HIGH,CRITICAL'
-          format: 'table'