From 8184c42095335e9acced054b2783ffeddb137fbc Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Fri, 26 Sep 2025 11:46:19 +0200
Subject: [PATCH 1/3] CI: scan code with trivy

---
 .github/workflows/test.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index fc24763b..ad533e66 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -34,6 +34,15 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: recursive
+      - name: Scan code with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          exit-code: "1"
+          ignore-unfixed: true
+          severity: "CRITICAL,HIGH,MEDIUM"
+          scanners: "vuln"
       - name: Cache
         uses: Swatinem/rust-cache@v2
       - name: Install protoc

From 2a139783aa7ebeeb2bc58321eaf246f9c23f1a67 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Fri, 26 Sep 2025 11:52:25 +0200
Subject: [PATCH 2/3] bump trivy action version

---
 .github/workflows/build-docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
index 55350776..a10ebc14 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -69,7 +69,7 @@ jobs:
           cache-to: type=gha,mode=max
 
       - name: Scan image with Trivy
-        uses: aquasecurity/trivy-action@0.32.0
+        uses: aquasecurity/trivy-action@0.33.1
         with:
           image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
           format: "table"

From a49aeebcdab8627d994f456569a05657191e3b59 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jacek@defguard.net>
Date: Fri, 26 Sep 2025 12:29:41 +0200
Subject: [PATCH 3/3] include low severity vulns in sbom

---
 .github/workflows/sbom.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index 0a8b8c81..1cc30e9f 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -32,7 +32,8 @@ jobs:
           format: 'spdx-json'
           output: "defguard-proxy-${{ env.VERSION }}.sbom.json"
           scan-ref: '.'
-          severity: "CRITICAL,HIGH,MEDIUM"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
+          scanners: "vuln"
 
       - name: Create docker image SBOM with Trivy
         uses: aquasecurity/trivy-action@0.33.1
@@ -41,7 +42,7 @@ jobs:
           scan-type: 'image'
           format: 'spdx-json'
           output: "defguard-proxy-${{ env.VERSION }}-docker.sbom.json"
-          severity: "CRITICAL,HIGH,MEDIUM"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 
       - name: Upload SBOM