.github/workflows/reusable-container-workflow.yml

name: Reusable container workflow 
permissions: read-all

on:
  workflow_call:
    inputs:
      docker-path:
        required: true
        type: string

jobs:
  trivy-repo:
    name: Trivy-repo
    runs-on: ubuntu-18.04
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: ${{ inputs.docker-path }}
          ignore-unfixed: true
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results-repo.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: 'trivy-results-repo.sarif'
  trivy-iac:
    name: Trivy-IaC
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner in IaC mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-ref: ${{ inputs.docker-path }}/Dockerfile
          scan-type: 'config'
          hide-progress: false
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results-iac.sarif'
          # exit-code: '1' # Fail pipeline if issues found

      - name: Upload Trivy scan results to GitHub Security tab IaC
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: 'trivy-results-iac.sarif'
  grype:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Build the Container image
        run: docker build . --file ${{ inputs.docker-path }}/Dockerfile --tag localbuild/testimage:latest
      - uses: anchore/scan-action@v3
        id: scan
        with:
          image: "localbuild/testimage:latest"
          acs-report-enable: true
          include-app-packages: true
          fail-build: false # true = Fail pipeline if issues found 
      - name: upload Anchore scan SARIF report
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}