From c8d84f712b51b0b6001195c4c2bb014118719f96 Mon Sep 17 00:00:00 2001
From: Sergi Castro <sergikstro@gmail.com>
Date: Wed, 27 Mar 2024 08:57:14 +0100
Subject: [PATCH 1/2] add trivy scan

---
 .github/workflows/scan.yaml | 37 +++++++++++++++++++++++++++++++++++++
 Makefile                    | 17 +++++++++++------
 2 files changed, 48 insertions(+), 6 deletions(-)
 create mode 100644 .github/workflows/scan.yaml

diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
new file mode 100644
index 0000000..014f1ad
--- /dev/null
+++ b/.github/workflows/scan.yaml
@@ -0,0 +1,37 @@
+name: Scan
+
+on:
+  push:
+    branches:
+      - main
+      - release-**
+    tags: [ 'v[0-9]+.[0-9]+.[0-9]+**' ]  # Ex. v0.2.0, v0.2.1-rc2
+  pull_request:
+    branches:
+      - main
+      - release-**
+  workflow_dispatch: {}
+
+env:
+  GOPROXY: https://proxy.golang.org
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    env:
+      IMG: local/kubegres:scan
+      PLATFORMS: linux/amd64
+    steps:
+      - uses: docker/setup-qemu-action@v3
+        with:
+          platforms: amd64
+      - uses: docker/setup-buildx-action@v3
+      - uses: actions/checkout@v4
+      - run: make docker-build
+      - uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: local/kubegres:scan-amd64
+          format: table
+          exit-code: 1
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
diff --git a/Makefile b/Makefile
index f158f84..dbf8584 100644
--- a/Makefile
+++ b/Makefile
@@ -19,6 +19,9 @@ endif
 SHELL = /usr/bin/env bash -o pipefail
 .SHELLFLAGS = -ec
 
+comma  := ,
+space  := $(empty) $(empty)
+
 .PHONY: all
 all: build
 
@@ -85,13 +88,15 @@ docker-buildx:
 docker-build-push: build docker-buildx ## Build docker image with the manager.
 	docker buildx build --builder $(DOCKER_BUILDER_NAME) --platform ${PLATFORMS} -t ${IMG} --push .
 
-# .PHONY: docker-build
-# docker-build: build ## Build docker image with the manager.
-# 	docker build -t ${IMG} .
+.PHONY: docker-build
+docker-build: $(addprefix docker-build/,$(subst $(comma),$(space),$(PLATFORMS))) ## Build docker images for all platforms.
 
-#.PHONY: docker-push
-#docker-push: ## Push docker image with the manager.
-#	docker push ${IMG}
+# Intentionally build the image for a specific platform, using arch as the image tag suffix so we avoid overwriting the multi-arch images.
+.PHONY: docker-build/%
+docker-build/%: PLATFORM=$(*)
+docker-build/%: DOCKER_ARCH=$(notdir $(PLATFORM))
+docker-build/%: docker-buildx ## Build docker image with ARCH as image tag suffix.
+	docker buildx build --builder $(DOCKER_BUILDER_NAME) --platform ${PLATFORM} -t ${IMG}-${DOCKER_ARCH} --load .
 
 ##@ Deployment
 

From 320dbcfd3ab33961255e1383e4892f17fcfc568f Mon Sep 17 00:00:00 2001
From: Sergi Castro <sergikstro@gmail.com>
Date: Wed, 27 Mar 2024 12:06:38 +0100
Subject: [PATCH 2/2] Run MEDIUM severity CVEs

---
 .github/workflows/scan.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
index 014f1ad..1ca23ac 100644
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@@ -34,4 +34,4 @@ jobs:
           format: table
           exit-code: 1
           ignore-unfixed: true
-          severity: 'CRITICAL,HIGH'
+          severity: 'CRITICAL,HIGH,MEDIUM'