From 72826f22b19bbef6828381845c8a90dae9286494 Mon Sep 17 00:00:00 2001
From: Wolfgang Hottgenroth <wolfgang.hottgenroth@icloud.com>
Date: Tue, 11 Feb 2025 13:00:41 +0100
Subject: [PATCH] adjust scan stage

---
 .woodpecker.yml | 36 +++++++++++++++++++++++++++++++++---
 1 file changed, 33 insertions(+), 3 deletions(-)

diff --git a/.woodpecker.yml b/.woodpecker.yml
index fa9fd9d..ffe9665 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -16,13 +16,43 @@ steps:
     when:
       - event: [push,tag]
 
-  scan_image:
-    image: aquasec/trivy
+  scan:
+    image: quay.io/wollud1969/woodpecker-helper:0.5.1
+    environment:
+      TRIVY_TOKEN:
+        from_secret: trivy_token
+      TRIVY_URL:
+        from_secret: trivy_url
+      DTRACK_API_KEY:
+        from_secret: dtrack_api_key
+      DTRACK_API_URL:
+        from_secret: dtrack_api_url
     commands:
-      - TRIVY_DISABLE_VEX_NOTICE=1 trivy image $FORGE_NAME/$CI_REPO:$CI_COMMIT_SHA --quiet --exit-code 1
+      - export GOPATH=/woodpecker/go   # the export is required, otherwise trivy will not consider the variable
+      - HOME=/home/`id -nu`
+      - TAG="${CI_COMMIT_TAG:-$CI_COMMIT_SHA}"
+      - |
+        trivy image \
+              --server $TRIVY_URL \
+              --token $TRIVY_TOKEN \
+              --format cyclonedx \
+              --scanners license \
+              --output /tmp/sbom.xml \
+              $FORGE_NAME/$CI_REPO:$CI_COMMIT_SHA        
+      - cat /tmp/sbom.xml
+      - |
+        curl -X "POST" \
+             -H "Content-Type: multipart/form-data" \
+             -H "X-Api-Key: $DTRACK_API_KEY" \
+             -F "autoCreate=true" \
+             -F "projectName=$CI_REPO" \
+             -F "projectVersion=$TAG" \
+             -F "bom=@/tmp/sbom.xml"\
+             "$DTRACK_API_URL/api/v1/bom"        
     when:
       - event: [push, tag]
 
+
   deploy:
     image: portainer/kubectl-shell:latest
     secrets: