From aa690ed10e39fe33da284c745ecb89d46dbaa7a4 Mon Sep 17 00:00:00 2001
From: linglp <linglp@umich.edu>
Date: Tue, 25 Jun 2024 11:46:09 -0400
Subject: [PATCH 1/5] add workflow dispatch

---
 .github/workflows/scan_repo.yml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 .github/workflows/scan_repo.yml

diff --git a/.github/workflows/scan_repo.yml b/.github/workflows/scan_repo.yml
new file mode 100644
index 000000000..d062f3df7
--- /dev/null
+++ b/.github/workflows/scan_repo.yml
@@ -0,0 +1,32 @@
+# borrowed from mono repo: https://github.com/Sage-Bionetworks/sage-monorepo/blob/main/.github/workflows/scan-repo.yml
+name: Scan Git repo
+on:
+  push:
+    branches:
+      - develop
+  pull_request:
+  workflow_dispatch: 
+
+jobs:
+  trivy:
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: Git Repository
\ No newline at end of file

From 45933e6064412ac26acacc69ded8c5d4b5f62cae Mon Sep 17 00:00:00 2001
From: linglp <linglp@umich.edu>
Date: Tue, 25 Jun 2024 11:59:30 -0400
Subject: [PATCH 2/5] update to use v3

---
 .github/workflows/scan_repo.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scan_repo.yml b/.github/workflows/scan_repo.yml
index d062f3df7..d7b5c36c0 100644
--- a/.github/workflows/scan_repo.yml
+++ b/.github/workflows/scan_repo.yml
@@ -26,7 +26,7 @@ jobs:
           limit-severities-for-sarif: true
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'
           category: Git Repository
\ No newline at end of file

From a5082a1f8a6a578791cd84aa4c1d83a29f91c6c4 Mon Sep 17 00:00:00 2001
From: linglp <linglp@umich.edu>
Date: Tue, 25 Jun 2024 12:06:21 -0400
Subject: [PATCH 3/5] severity set to medium

---
 .github/workflows/scan_repo.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/scan_repo.yml b/.github/workflows/scan_repo.yml
index d7b5c36c0..c28233203 100644
--- a/.github/workflows/scan_repo.yml
+++ b/.github/workflows/scan_repo.yml
@@ -1,4 +1,4 @@
-# borrowed from mono repo: https://github.com/Sage-Bionetworks/sage-monorepo/blob/main/.github/workflows/scan-repo.yml
+# Modified from mono repo: https://github.com/Sage-Bionetworks/sage-monorepo/blob/main/.github/workflows/scan-repo.yml
 name: Scan Git repo
 on:
   push:
@@ -22,7 +22,7 @@ jobs:
           ignore-unfixed: true
           format: 'sarif'
           output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
+          severity: 'CRITICAL,HIGH,MEDIUM'
           limit-severities-for-sarif: true
 
       - name: Upload Trivy scan results to GitHub Security tab

From 0e93b5bd8d1ebc5d912e191e540d4aa909654d6b Mon Sep 17 00:00:00 2001
From: linglp <linglp@umich.edu>
Date: Tue, 25 Jun 2024 14:39:17 -0400
Subject: [PATCH 4/5] add comment

---
 .github/workflows/scan_repo.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/scan_repo.yml b/.github/workflows/scan_repo.yml
index c28233203..ffe69c9f2 100644
--- a/.github/workflows/scan_repo.yml
+++ b/.github/workflows/scan_repo.yml
@@ -1,4 +1,5 @@
 # Modified from mono repo: https://github.com/Sage-Bionetworks/sage-monorepo/blob/main/.github/workflows/scan-repo.yml
+# Also, reference: https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#using-trivy-to-scan-your-git-repo
 name: Scan Git repo
 on:
   push:
@@ -18,7 +19,9 @@ jobs:
       - name: Run Trivy vulnerability scanner in repo mode
         uses: aquasecurity/trivy-action@master
         with:
+          # the scan targets the file system.
           scan-type: 'fs'
+          # it will ignore vulnerabilities without a fix.
           ignore-unfixed: true
           format: 'sarif'
           output: 'trivy-results.sarif'

From 1b6f69408c7b96791253917eeb80026a9910390b Mon Sep 17 00:00:00 2001
From: linglp <linglp@umich.edu>
Date: Fri, 19 Jul 2024 17:32:32 -0400
Subject: [PATCH 5/5] add severity low

---
 .github/workflows/scan_repo.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scan_repo.yml b/.github/workflows/scan_repo.yml
index ffe69c9f2..6a93beee7 100644
--- a/.github/workflows/scan_repo.yml
+++ b/.github/workflows/scan_repo.yml
@@ -25,7 +25,7 @@ jobs:
           ignore-unfixed: true
           format: 'sarif'
           output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH,MEDIUM'
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
           limit-severities-for-sarif: true
 
       - name: Upload Trivy scan results to GitHub Security tab