From c318a7f8645afdf7a1544cdff8f12e92f3bc9938 Mon Sep 17 00:00:00 2001
From: Yunchu Lee <yunchu.lee@intel.com>
Date: Fri, 29 Mar 2024 13:17:45 +0900
Subject: [PATCH] update trivy scan for gen spdx.json file

---
 .ci/{trivy.yaml => trivy-csv.yaml} |  0
 .ci/trivy-spdx-json.yaml           |  6 ++++++
 .github/workflows/code_scan.yaml   | 13 ++++++++++---
 3 files changed, 16 insertions(+), 3 deletions(-)
 rename .ci/{trivy.yaml => trivy-csv.yaml} (100%)
 create mode 100644 .ci/trivy-spdx-json.yaml

diff --git a/.ci/trivy.yaml b/.ci/trivy-csv.yaml
similarity index 100%
rename from .ci/trivy.yaml
rename to .ci/trivy-csv.yaml
diff --git a/.ci/trivy-spdx-json.yaml b/.ci/trivy-spdx-json.yaml
new file mode 100644
index 00000000000..79811807509
--- /dev/null
+++ b/.ci/trivy-spdx-json.yaml
@@ -0,0 +1,6 @@
+ignore-policy: ""
+ignorefile: .trivyignore
+format: spdx-json
+output: trivy-results.spdx.json
+list-all-pkgs: true
+debug: true
diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml
index 5e521906321..ca7b7b8ac55 100644
--- a/.github/workflows/code_scan.yaml
+++ b/.github/workflows/code_scan.yaml
@@ -27,10 +27,17 @@ jobs:
         run: python -m pip install --require-hashes --no-deps -r .ci/piptools-deps.txt
       - name: Freeze dependencies
         run: pip-compile --extra=docs,base,mmlab,anomaly -o requirements.txt pyproject.toml
-      - name: Trivy Scanning
+      - name: Trivy Scanning (csv)
         uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0
         with:
-          trivy-config: ".ci/trivy.yaml"
+          trivy-config: ".ci/trivy-csv.yaml"
+          scan-type: "fs"
+          scan-ref: .
+          scanners: vuln,secret
+      - name: Trivy Scanning (spdx.json)
+        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0
+        with:
+          trivy-config: ".ci/trivy-spdx-json.yaml"
           scan-type: "fs"
           scan-ref: .
           scanners: vuln,secret
@@ -38,7 +45,7 @@ jobs:
         uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: trivy-results
-          path: "${{ github.workspace }}/trivy-results.csv"
+          path: "${{ github.workspace }}/trivy-results.*"
   Bandit:
     runs-on: ubuntu-latest
     steps: