feat(ci/cd): Add scanning for M365 Image and Terraform Config (#10)

jacdavi · web-flow · commit ab71619bd518 · 2025-05-01T19:49:36.000-07:00
diff --git a/.github/workflows/m365_image_build.yaml b/.github/workflows/m365_image_build.yaml
@@ -16,6 +16,10 @@ env:
 
 jobs:
   build:
+    name: Build
+    runs-on: windows-latest
+    # This condition prevents duplicate runs.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
     # based on https://github.com/orgs/community/discussions/26253#discussioncomment-6745038
     # intent is to run on current ref, unless this is a scheduled run, then run on list defined below
     strategy:
@@ -29,7 +33,6 @@ jobs:
           - { scheduled: false }
         include:
           - ref: ${{ github.head_ref || github.ref_name }} 
-    runs-on: windows-latest
     permissions:
       contents: read
       packages: write
@@ -98,6 +101,7 @@ jobs:
 
           docker build $docker_args m365/image
           echo "digest=$(docker images --no-trunc --quiet $Env:IMAGE.ToLower())" >> $Env:GITHUB_OUTPUT
+          echo "image=$($Env:IMAGE.ToLower())" >> $Env:GITHUB_OUTPUT
           if ($Env:PUSH -eq "true") {
             docker push $Env:IMAGE.ToLower() --all-tags
           }
@@ -122,3 +126,25 @@ jobs:
             cosign sign --yes "$_@$digest"
           }
           exit 0
+    outputs:
+      image:  ${{ steps.build-and-push.outputs.image }}
+  m365-scan:
+    name: Scan
+    if: github.ref == 'refs/heads/main'
+    permissions:
+      security-events: write
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ${{ needs.build.outputs.image }}:latest
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: m365-image
diff --git a/.github/workflows/terraform_scan.yaml b/.github/workflows/terraform_scan.yaml
@@ -0,0 +1,32 @@
+name: Terraform Scan
+permissions:
+  security-events: write
+on:
+  push:
+    branches: [ "*" ]
+  pull_request:
+    branches: [ "main" ]
+jobs:
+  scan:
+    name: Scan
+    runs-on: ubuntu-latest
+    # This condition prevents duplicate runs.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in IaC mode
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: 'config'
+          hide-progress: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '0'
+          severity: 'CRITICAL,HIGH,MEDIUM'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: terraform
