ci: add security scan with trivy (#985)

Security scan with trivy will be run on push to main and dev, pull
request, and weekly. trivy will skip scanning vendor subdirectory
because the agent is not using code from that directory.

.github/workflows/security-scan.yml

@@ -0,0 +1,48 @@
+name: Security scan
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+  schedule:
+    - cron: '0 0 * * 0' # Every Sunday at 12:00 AM
+
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout newrelic-php-agent code
+        uses: actions/checkout@v4
+        with:
+          path: php-agent
+      - name: Run Trivy in table mode
+        # Table output is only useful when running on a pull request or push.
+        if: contains(fromJSON('["push", "pull_request"]'), github.event_name)
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: ./php-agent
+          trivy-config: ./php-agent/trivy.yaml
+          trivyignores: ./php-agent/.trivyignore
+          format: table
+          exit-code: 1
+
+      - name: Run Trivy in report mode
+        # Only generate sarif when running nightly on the dev branch.
+        if: ${{ github.event_name == 'schedule' }}
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          scan-ref: ./php-agent
+          trivy-config: ./php-agent/trivy.yaml
+          trivyignores: ./php-agent/.trivyignore
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        # Only upload sarif when running nightly on the dev branch.
+        if: ${{ github.event_name == 'schedule' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif

.trivyignore

@@ -0,0 +1,2 @@
+# Ignore missing HEALTHCHECK in Dockerfile - devenv service from files/Dockerfile doesn't need it:
+AVD-DS-0026

docker-compose.yaml

@@ -80,7 +80,6 @@ services:
       dockerfile: files/Dockerfile
       args:
         PHP_VER: ${PHP:-8.3}
-    user: ${UID}:${GID}
     environment:
       MEMCACHE_HOST: memcached
 

files/Dockerfile

@@ -148,5 +148,10 @@ ENV PS1="New Relic > "
 RUN echo 'alias integ="/usr/src/myapp/bin/integration_runner -agent /usr/src/myapp/agent/.libs/newrelic.so"' >> ~/.bashrc \
   && echo 'alias rebuild="make -C agent clean && rm agent/Makefile && make && make tests"' >> ~/.bashrc
 
+ARG USER=developer
+ARG UID=501
+ARG GID=20
+RUN useradd --uid ${UID} --gid ${GID} --shell /bin/bash --create-home ${USER}
+USER ${USER}
 WORKDIR /usr/src/myapp
 CMD ["bash"]

trivy.yaml

@@ -0,0 +1,18 @@
+db:
+  repository:
+    - mirror.gcr.io/aquasec/trivy-db:2
+
+scan:
+  scanners: 
+    - vuln
+    - misconfig
+  skip-dirs: vendor
+
+severities:
+  - CRITICAL
+  - HIGH
+  - MEDIUM
+  - LOW
+
+vulnerability:
+  ignore-unfixed: true