pipelines/.github/workflows/trivy_fs.yaml

on:
  workflow_call:
    secrets:
      DEPENDENCYTRACK_URL:
        required: true
      DEPENDENCYTRACK_API_KEY:
        required: true
      DEPENDENCYTRACK_PROJECT_UUID:
        required: true

name: Trivy
jobs:
  trivy:
    name: SBOM & Dependency Track
    runs-on: ubuntu-latest
 
    steps:
      - name: Checkout
        uses: actions/checkout@v4
 
      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
            | sh -s -- -b /usr/local/bin
          trivy --version
 
      - name: Generate SBOM
        run: |
          trivy fs . \
            --format cyclonedx \
            --output sbom.json \
            --quiet
          echo "✅ SBOM generated"
 
      - name: Upload SBOM to Dependency-Track
        run: |
          HTTP_STATUS=$(curl --silent \
            --output /tmp/dt-response.json \
            --write-out "%{http_code}" \
            -X POST "${{ secrets.DEPENDENCYTRACK_URL }}/api/v1/bom" \
            -H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_API_KEY }}" \
            -H "Content-Type: multipart/form-data" \
            -F "project=${{ secrets.DEPENDENCYTRACK_PROJECT_UUID }}" \
            -F "bom=@sbom.json")
 
          echo "Response: $(cat /tmp/dt-response.json)"
 
          if [ "$HTTP_STATUS" -ne 200 ]; then
            echo "❌ Upload failed – HTTP Status: ${HTTP_STATUS}"
            exit 1
          fi
 
          echo "✅ SBOM uploaded"
 
      - name: Check Dependency-Track Results
        run: |
          echo "⏳ Wait for results..."
          sleep 15
 
          curl --silent \
            "${{ secrets.DEPENDENCYTRACK_URL }}/api/v1/metrics/project/${{ secrets.DEPENDENCYTRACK_PROJECT_UUID }}/current" \
            -H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_API_KEY }}" \
            | python3 -c "
          import sys, json
          d = json.load(sys.stdin)
          critical = d.get('critical', 0)
          high     = d.get('high', 0)
          medium   = d.get('medium', 0)
          low      = d.get('low', 0)
          print(f'┌─ Dependency-Track Results ────')
          print(f'│  Critical : {critical}')
          print(f'│  High     : {high}')
          print(f'│  Medium   : {medium}')
          print(f'│  Low      : {low}')
          print(f'└───────────────────────────────')
          if critical > 0:
              print('❌ Critical found!')
              sys.exit(1)
          print('✅ Passed')
          "