security(trivy): add trivy to supply chain (#793)

Author: moscaale

.github/semgrep.yaml .github/semgrep-rules.yml.github/semgrep.yaml renamed to .github/semgrep-rules.yml

@@ -1,17 +1,17 @@
-name: Build and deploy
+name: Build, scan images and deploy
 
 on:
   push:
     branches:
       - main
   release:
-    types: 
+    types:
       - published
       - edited
-  workflow_dispatch: # Add this to allow manual triggering
+  workflow_dispatch:
 
 jobs:
-  build-api:
+  build-opengatellm-api:
     name: Build and push OpenGateLLM API image
     runs-on: ubuntu-latest
     env:
@@ -112,7 +112,7 @@ jobs:
           tags: ${{ env.GITHUB_PLAYGROUND_IMAGE_NAME }}:${{ env.IMAGE_TAG }}
           cache-from: type=registry,ref=${{ env.GITHUB_PLAYGROUND_IMAGE_NAME }}:cache
           cache-to: type=registry,ref=${{ env.GITHUB_PLAYGROUND_IMAGE_NAME }}:cache,mode=max
-          
+
   build-albert-playground:
     name: Build and push Albert playground image
     runs-on: ubuntu-latest
@@ -123,13 +123,12 @@ jobs:
       matrix:
         environment: [dev, staging, prod]
         include:
-          - environment: prod
-            url: https://albert.playground.etalab.gouv.fr
-          - environment: staging
-            url: https://albert.playground.staging.etalab.gouv.fr
           - environment: dev
             url: https://albert.playground.dev.etalab.gouv.fr
-    
+          - environment: staging
+            url: https://albert.playground.staging.etalab.gouv.fr
+          - environment: prod
+            url: https://albert.playground.etalab.gouv.fr
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -160,18 +159,47 @@ jobs:
           tags: ${{ env.GITLAB_PLAYGROUND_IMAGE_NAME }}/${{ matrix.environment }}:${{ env.IMAGE_TAG }}
           cache-from: type=registry,ref=${{ env.GITHUB_PLAYGROUND_IMAGE_NAME }}:cache
 
+  trivy-scan-api:
+    name: Trivy scan — API
+    needs: build-opengatellm-api
+    uses: ./.github/workflows/trivy-scan.yml
+    with:
+      image-name: ghcr.io/etalab-ia/opengatellm/api
+      image-tag: ${{ github.event_name == 'release' && github.event.release.tag_name || 'latest' }}
+
+  trivy-scan-playground:
+    name: Trivy scan — Playground
+    needs: build-opengatellm-playground
+    uses: ./.github/workflows/trivy-scan.yml
+    with:
+      image-name: ghcr.io/etalab-ia/opengatellm/playground
+      image-tag: ${{ github.event_name == 'release' && github.event.release.tag_name || 'latest' }}
+
+  trivy-scan-worker:
+    name: Trivy scan — Worker
+    needs: build-opengatellm-worker
+    uses: ./.github/workflows/trivy-scan.yml
+    with:
+      image-name: ghcr.io/etalab-ia/opengatellm/worker
+      image-tag: ${{ github.event_name == 'release' && github.event.release.tag_name || 'latest' }}
+
   deploy-dev:
     if: github.event_name == 'push' # Only deploy on push to main
     name: Deploy from ${{ github.ref_name }}/${{ github.sha }}
     runs-on: ubuntu-latest
-    needs: [build-api, build-opengatellm-playground, build-albert-playground]
+    needs:
+      - build-opengatellm-api
+      - trivy-scan-api
+      - build-opengatellm-playground
+      - trivy-scan-playground
+      - build-albert-playground
     steps:
       - name: Trigger dev deployment
         run: |
           RESPONSE="$(curl --request POST \
             --form token=${{ secrets.GITLAB_CI_TOKEN }} \
             --form ref=main \
-            --form 'variables[pipeline_name]=${{ github.event.repository.name }} - ${{ needs.build-api.outputs.commit_title }}' \
+            --form 'variables[pipeline_name]=${{ github.event.repository.name }} - ${{ needs.build-opengatellm-api.outputs.commit_title }}' \
             --form 'variables[docker_image_tag]=latest' \
             --form 'variables[application_to_deploy]=albert-api' \
             --form 'variables[deployment_environment]=dev' \

.github/workflows/build_and_deploy.yml

@@ -39,9 +39,9 @@ jobs:
             --config auto \ 
             --config p/default \
             --config p/secrets \
-            --config p/security-audit
-            --config .github/semgrep.yaml
-            --severity WARNING
+            --config p/security-audit \
+            --config .github/semgrep-rules.yml \
+            --severity WARNING \
           exit 0  # Never block this job
 
       - name: Run Semgrep (ERROR severity only)
@@ -50,7 +50,7 @@ jobs:
             --config auto \ 
             --config p/default \
             --config p/secrets \
-            --config p/security-audit
-            --config .github/semgrep.yaml
+            --config p/security-audit \
+            --config .github/semgrep-rules.yml \
             --severity ERROR \
             --error 

.github/workflows/semgrep.yml

@@ -0,0 +1,44 @@
+name: Trivy Scan
+
+on:
+  workflow_call:
+    inputs:
+      image-name:
+        description: "Full image name (ex: ghcr.io/org/repo/api)"
+        required: true
+        type: string
+      image-tag:
+        description: "Image tag to scan"
+        required: true
+        type: string
+
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Trivy scan (HIGH — warning)
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
+          format: 'table'
+          severity: 'HIGH'
+          exit-code: "0"
+
+      # CRITICAL → bloque le pipeline
+      - name: Trivy scan (CRITICAL — blocking)
+        uses: aquasecurity/trivy-action@v0.35.0
+        with:
+          image-ref: ${{ inputs.image-name }}:${{ inputs.image-tag }}
+          format: 'table'
+          severity: 'CRITICAL'
+          exit-code: "1"