Replace FOSSA with Trivy (#1320)

2026-04-15 07:16:34 +00:00 · 2023-08-31 17:19:09 -05:00
parent 1dedbcd67a
commit 8d527ead8c
3 changed files with 42 additions and 53 deletions
--- a/.github/workflows/fossa.yaml
+++ b/.github/workflows/fossa.yaml
@@ -1,49 +0,0 @@
-name: FOSSA license scan
-
-on:
-  pull_request_target: # this is safe as these scans do not execute provided code
-    branches:
-      - main
-    paths:
-      - go.sum
-
-  push:
-    branches:
-      - main
-
-jobs:
-  fossa-scan-pr:
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request'
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          ref: refs/pull/${{ github.event.number }}/merge
-      - name: "Install FOSSA" 
-        uses: replicatedhq/action-fossa/install@main
-      - name: "Run FOSSA Scan"
-        uses: replicatedhq/action-fossa/scan@main
-        with:
-          api-key: ${{ secrets.FOSSA_API_KEY }}
-          diff: true
-          diff-ref: ${{ github.event.pull_request.base.sha }}
-          debug: true
-
-  fossa-scan-merge:
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push'
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-      - id: previous
-        run: echo "sha=$(git rev-parse HEAD~1)" >> "${GITHUB_OUTPUT}"
-      - name: "Install FOSSA" 
-        uses: replicatedhq/action-fossa/install@main
-      - name: "Run FOSSA Scan"
-        uses: replicatedhq/action-fossa/scan@main
-        with:
-          api-key: ${{ secrets.FOSSA_API_KEY }}
-          diff: true
-          diff-ref: ${{ steps.previous.outputs.sha }}
-          debug: true
--- a/.github/workflows/license.yaml
+++ b/.github/workflows/license.yaml
@@ -0,0 +1,42 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+env:
+  TRIVY_VERSION: 0.44.1
+
+name: License scan
+
+jobs:
+  license:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
+
+      - name: Install Go deps
+        run: go mod download
+
+      - name: Install trivy
+        run: |
+          wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.deb
+          sudo dpkg -i trivy_${TRIVY_VERSION}_Linux-64bit.deb
+
+      - name: Create license report artifact
+        run: trivy fs --scanners license --skip-dirs ".github" . | tee license-report.txt
+
+      - name: Upload license report artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: license-report
+          path: license-report.txt
+
+      - name: Check for unknown licenses
+        run: trivy fs --scanners license --skip-dirs ".github" --exit-code 1 --severity UNKNOWN . || echo "::warning::Unknown licenses found, please verify"
+
+      - name: Check for forbidden licenses and fail
+        run: trivy fs --scanners license --skip-dirs ".github" --exit-code 1 --severity CRITICAL,HIGH .