chore: cx standardization

.github/workflows/security.yml

@@ -33,37 +33,6 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb #v3.3.0
 
-  trivy-scanning:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Source
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Build and load (not push)
-        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
-        with:
-          load: true
-          context: .
-          file: ./Dockerfile
-          platforms: linux/amd64
-          push: false
-          tags: checkmarx/2ms:scanme
-
-      - name: Run Trivy Scan
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
-        with:
-          image-ref: checkmarx/2ms:scanme
-          vuln-type: os,library
-          format: table
-          ignore-unfixed: true
-          severity: CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN
-          trivy-config: trivy.yaml
-          exit-code: '1'
-        env:
-          TRIVY_SKIP_DB_UPDATE: true
-          TRIVY_SKIP_JAVA_DB_UPDATE: true
-
-
   secret-scanning:
     runs-on: ubuntu-latest
     steps:

.github/workflows/update-trivy-cache.yml → .github/workflows/trivy-cache.yaml

@@ -36,4 +36,4 @@ jobs:
         uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 #v4.2.0
         with:
           path: ${{ github.workspace }}/.cache/trivy
-          key: cache-trivy-${{ steps.date.outputs.date }}
+          key: cache-trivy-${{ steps.date.outputs.date }}

.github/workflows/trivy-vulnerability-scan.yaml

@@ -0,0 +1,40 @@
+name: Trivy-scan
+on:
+  push:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
+  schedule:
+    - cron: '5 6 * * *'  # Runs every day at 06:05 UTC
+
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Build and load (not push)
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        with:
+          load: true
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          push: false
+          tags: checkmarx/2ms:scanme
+
+      - name: Run Trivy Scan
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
+        with:
+          image-ref: checkmarx/2ms:scanme
+          vuln-type: os,library
+          format: table
+          ignore-unfixed: true
+          severity: CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN
+          trivy-config: trivy.yaml
+          exit-code: '1'
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true

Dockerfile

@@ -20,7 +20,7 @@ COPY . .
 RUN GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -a -o /app/2ms .
 
 # Runtime image
-FROM cgr.dev/chainguard/git@sha256:b0dbd0c3c6a0f44c0522663c3a7f9b47f8e62ed419c88c37199f61308f19829c
+FROM cgr.dev/chainguard/git@sha256:fb9f28194b4dda3ea74c68d731238d1f32023849bca04c5652638e8e199fb956
 
 WORKDIR /app
 

trivy-whitelist.openvex

@@ -0,0 +1,9 @@
+{
+  "@context": "https://openvex.dev/ns",
+  "@id": "https://openvex.dev/docs/public/vex-2e67563e128250cbcb3e98930df948dd053e43271d70dc50cfa22d57e03fe96f",
+  "timestamp": "2024-05-08T16:00:16.853479631-06:00",
+  "version": 1,
+  "author":"Omer fainshtein",
+  "statements": [
+  ]
+}