ci: add security scan with trivy

.github/workflows/security-scan.yml

@@ -0,0 +1,48 @@
+name: Security scan
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+  schedule:
+    - cron: '0 0 * * 0' # Every Sunday at 12:00 AM
+
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout newrelic-php-agent code
+        uses: actions/checkout@v4
+        with:
+          path: php-agent
+      - name: Run Trivy in table mode
+        # Table output is only useful when running on a pull request or push.
+        if: contains(fromJSON('["push", "pull_request"]'), github.event_name)
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: ./php-agent
+          trivy-config: ./php-agent/trivy.yaml
+          trivyignores: ./php-agent/.trivyignore
+          format: table
+          exit-code: 1
+
+      - name: Run Trivy in report mode
+        # Only generate sarif when running nightly on the dev branch.
+        if: ${{ github.event_name == 'schedule' }}
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: ./php-agent
+          trivy-config: ./php-agent/trivy.yaml
+          trivyignores: ./php-agent/.trivyignore
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        # Only upload sarif when running nightly on the dev branch.
+        if: ${{ github.event_name == 'schedule' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif

.trivyignore

@@ -0,0 +1,2 @@
+# Ignore missing HEALTHCHECK in Dockerfile - devenv service from files/Dockerfile doesn't need it:
+AVD-DS-0026

docker-compose.yaml

@@ -80,7 +80,6 @@ services:
       dockerfile: files/Dockerfile
       args:
         PHP_VER: ${PHP:-8.3}
-    user: ${UID}:${GID}
     environment:
       MEMCACHE_HOST: memcached
 

files/Dockerfile

@@ -148,5 +148,10 @@ ENV PS1="New Relic > "
 RUN echo 'alias integ="/usr/src/myapp/bin/integration_runner -agent /usr/src/myapp/agent/.libs/newrelic.so"' >> ~/.bashrc \
   && echo 'alias rebuild="make -C agent clean && rm agent/Makefile && make && make tests"' >> ~/.bashrc
 
+ARG USER=developer
+ARG UID=501
+ARG GID=20
+RUN useradd --uid ${UID} --gid ${GID} --shell /bin/bash --create-home ${USER}
+USER ${USER}
 WORKDIR /usr/src/myapp
 CMD ["bash"]

trivy.yaml

@@ -0,0 +1,18 @@
+db:
+  repository:
+    - mirror.gcr.io/aquasec/trivy-db:2
+
+scan:
+  scanners: 
+    - vuln
+    - misconfig
+  skip-dirs: vendor
+
+severities:
+  - CRITICAL
+  - HIGH
+  - MEDIUM
+  - LOW
+
+vulnerability:
+  ignore-unfixed: true