open-edge-platform · ashwinvaidya17 · May 22, 2023 · May 16, 2023 · May 19, 2023 · May 19, 2023
@@ -0,0 +1,11 @@
+ignore-policy: ""
+ignorefile: .trivyignore
+insecure: false
+scan:
+  scanners:
+    - vuln
+    - secret
+  slow: false
+severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+vulnerability:
+  ignore-unfixed: false
@@ -27,29 +27,25 @@ jobs:
           path: .tox/bandit-report.txt
         # Use always() to always run this step to publish scan results when there are test failures
         if: ${{ always() }}
-  Snyk-scan:
-    runs-on: [self-hosted, linux, x64]
-    permissions:
-      security-events: write
+  Trivy-scan:
+    runs-on: ubuntu-20.04
     steps:
-      - name: CHECKOUT REPOSITORY
+      - name: Checkout code
         uses: actions/checkout@v3
-      - name: Install Tox
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+      - name: Install dependencies
         run: python -m pip install tox
-      - name: SNYK SCANNING
+      - name: Trivy Scanning
         env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-          SNYK_ENDPOINT: ${{ secrets.SNYK_ENDPOINT }}
-        continue-on-error: true
-        run: tox -e snyk-scan
-      - name: UPLOAD TO SECURITY ADVISORIES
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: .tox/snyk.sarif
-      - name: UPLOAD SNYK REPORT
+          TRIVY_DOWNLOAD_URL: ${{ vars.TRIVY_DOWNLOAD_URL }}
+        run: tox -vv -e trivy-scan
+      - name: Upload Trivy results artifact
         uses: actions/upload-artifact@v3
         with:
-          name: snyk-report
-          path: .tox/snyk.html
-        # Use always() to always run this step to publish scan results when there are test failures
-        if: ${{ always() }}
+          name: trivy-results
+          path: |
+            .tox/trivy-scan-results.txt
+            .tox/trivy-spdx-otx.json
@@ -7,17 +7,20 @@ envlist =
     nightly
     snyk-scan
 
+[testenv]
+passenv = ftp_proxy
+    HTTP_PROXY
+    HTTPS_PROXY
+    CUDA_VISIBLE_DEVICES
+
 [testenv:pre-commit]
 basepython = py310
 deps =
     pre-commit
 commands = pre-commit run --all-files
 
 [testenv:pre-merge-py{38,39,310}]
-passenv = ftp_proxy
-    HTTP_PROXY
-    HTTPS_PROXY
-    CUDA_VISIBLE_DEVICES
+passenv = {[testenv]deps}
     ANOMALIB_DATASET_PATH
 deps =
     coverage[toml]
@@ -47,10 +50,7 @@ commands =
 
 [testenv:nightly]
 basepython = py310
-passenv = ftp_proxy
-    HTTP_PROXY
-    HTTPS_PROXY
-    CUDA_VISIBLE_DEVICES
+passenv = {[testenv]deps}
     ANOMALIB_DATASET_PATH
 deps =
     coverage
@@ -66,43 +66,32 @@ commands =
     coverage report -m --fail-under=33
     coverage xml -o {toxworkdir}/coverage.xml
 
-[testenv:snyk-scan]
+[testenv:trivy-scan]
 basepython = py310
-passenv = ftp_proxy
-    HTTP_PROXY
-    HTTPS_PROXY
-    CUDA_VISIBLE_DEVICES
-    ANOMALIB_DATASET_PATH
-    SNYK_ENDPOINT
-    SNYK_TOKEN
+passenv = TRIVY_DOWNLOAD_URL
 allowlist_externals =
     bash
     curl
-    wget
-    chmod
+    tar
     rm
-    *snyk*
+    *trivy*
+    cat
 install_command = pip install --no-cache-dir {opts} {packages}
 deps =
     -r{toxinidir}/requirements/base.txt
     -r{toxinidir}/requirements/openvino.txt
     -r{toxinidir}/requirements/loggers.txt
     -r{toxinidir}/requirements/notebooks.txt
 commands =
-    bash -c "pip freeze > snyk-req.txt"
-    curl https://static.snyk.io/cli/latest/snyk-linux -o {toxworkdir}/snyk
-    chmod +x {toxworkdir}/snyk
-    {toxworkdir}/snyk config set endpoint={env:SNYK_ENDPOINT}
-    {toxworkdir}/snyk config set disable-analytics=1
-    ; ignore exit code of the SNYK scanning to generate a report
-    - {toxworkdir}/snyk test --file=snyk-req.txt --package-manager=pip --sarif-file-output={toxworkdir}/snyk.sarif --json-file-output={toxworkdir}/snyk.json --debug
-    - {toxworkdir}/snyk monitor --file=snyk-req.txt --package-manager=pip
-    wget -P .tox/ https://github.com/snyk/snyk-to-html/releases/download/v2.3.6/snyk-to-html-linux
-    chmod +x {toxworkdir}/snyk-to-html-linux
-    {toxworkdir}/snyk-to-html-linux -i {toxworkdir}/snyk.json -o {toxworkdir}/snyk.html -d
-    rm {toxworkdir}/snyk
-    rm {toxworkdir}/snyk-to-html-linux
-    rm snyk-req.txt
+    bash -c "pip freeze > requirements.txt"
+    curl -L0 {env:TRIVY_DOWNLOAD_URL} -o {toxworkdir}/trivy.tar.gz
+    tar -xzf {toxworkdir}/trivy.tar.gz -C {toxworkdir}
+    {toxworkdir}/trivy fs -c .ci/trivy.yaml -o {toxworkdir}/trivy-scan-results.txt ./requirements.txt
+    {toxworkdir}/trivy fs -c .ci/trivy.yaml --format spdx-json -o {toxworkdir}/trivy-spdx-otx.json ./requirements.txt
+    cat {toxworkdir}/trivy-scan-results.txt
+    rm {toxworkdir}/trivy.tar.gz
+    rm {toxworkdir}/trivy
+    rm requirements.txt
 
 [testenv:bandit-scan]
 skip_install = true