From 5ee22bfd3d7775715829e37847c93a0d3adba7de Mon Sep 17 00:00:00 2001
From: Riku Rouvila <riku.rouvila@gmail.com>
Date: Mon, 28 Oct 2024 12:24:53 +0200
Subject: [PATCH] also mirror checks

---
 .github/workflows/mirror-trivy-db.yml | 3 +++
 .github/workflows/security-scans.yml  | 4 +++-
 trivy.yaml                            | 3 +--
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/mirror-trivy-db.yml b/.github/workflows/mirror-trivy-db.yml
index 2ede6bc54fc..226dfdf5c25 100644
--- a/.github/workflows/mirror-trivy-db.yml
+++ b/.github/workflows/mirror-trivy-db.yml
@@ -73,3 +73,6 @@ jobs:
 
       - name: Mirror trivy-java-db to GHCR
         run: ./mirror-image.sh docker://ghcr.io/aquasecurity/trivy-java-db:1 docker://ghcr.io/${{ github.repository_owner }}/trivy-java-db:1 ${{ env.RETRIES }}
+
+      - name: Mirror trivy-checks to GHCR
+        run: ./mirror-image.sh docker://ghcr.io/aquasecurity/trivy-checks:1 docker://ghcr.io/${{ github.repository_owner }}/trivy-checks:1 ${{ env.RETRIES }}
diff --git a/.github/workflows/security-scans.yml b/.github/workflows/security-scans.yml
index 84a73a48a3c..c6fd342c06a 100644
--- a/.github/workflows/security-scans.yml
+++ b/.github/workflows/security-scans.yml
@@ -51,10 +51,11 @@ jobs:
         env:
           TRIVY_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-db'
           TRIVY_JAVA_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-java-db'
+          TRIVY_POLICIESBUNDLE_REPOSITORY: 'ghcr.io/opencrvs/trivy-checks'
         with:
           scan-type: 'fs'
           scan-ref: 'base'
-          trivy-config: ./base/trivy.yaml
+          trivy-config: ./branch/trivy.yaml
           format: 'sarif'
           output: './trivy-results-base.sarif'
 
@@ -63,6 +64,7 @@ jobs:
         env:
           TRIVY_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-db'
           TRIVY_JAVA_DB_REPOSITORY: 'ghcr.io/opencrvs/trivy-java-db'
+          TRIVY_POLICIESBUNDLE_REPOSITORY: 'ghcr.io/opencrvs/trivy-checks'
         with:
           scan-type: 'fs'
           scan-ref: 'branch'
diff --git a/trivy.yaml b/trivy.yaml
index fa27a948600..1b09a7790d9 100644
--- a/trivy.yaml
+++ b/trivy.yaml
@@ -21,8 +21,7 @@ scan:
     - usr/local/share/.cache/yarn/v6/
     - home/node/.cache/yarn/v6
   skip-files:
-    - Dockerfile.dockerignore
-    - packages/*/Dockerfile.dockerignore
+    - '**/*.dockerignore'
   scanners:
     - vuln
     - misconfig