From 51752f1a6e13260655d20fcffe53d74d31c912f8 Mon Sep 17 00:00:00 2001
From: Thomas Ferrandiz <thomas.ferrandiz@suse.com>
Date: Thu, 12 Dec 2024 09:48:22 +0000
Subject: [PATCH 1/2] Add trivy vulnerability scanner in build step

Signed-off-by: Thomas Ferrandiz <thomas.ferrandiz@suse.com>
---
 .github/workflows/image-build.yml | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml
index 3ba8d608e..d0fe98450 100644
--- a/.github/workflows/image-build.yml
+++ b/.github/workflows/image-build.yml
@@ -13,7 +13,7 @@ jobs:
 
       # note: disable sbom/provenance for now (gchr.io does not managed well yet)
       - name: Build container image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: false
@@ -25,7 +25,7 @@ jobs:
 
       # note: disable sbom/provenance for now (gchr.io does not managed well yet)
       - name: Build container debug image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: false
@@ -46,7 +46,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Build container image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: false
@@ -56,6 +56,22 @@ jobs:
           sbom: false
           provenance: false
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: ghcr.io/${{ github.repository }}:latest-thick
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
   build-origin:
     name: Image build/origin
     runs-on: ubuntu-latest

From ef8f01b299c9cac72ad0f7dd161af78d9c96f6bf Mon Sep 17 00:00:00 2001
From: Thomas Ferrandiz <thomas.ferrandiz@suse.com>
Date: Mon, 31 Mar 2025 14:54:53 +0000
Subject: [PATCH 2/2] Use cross-compilation for thick plugin build

---
 images/Dockerfile.thick | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/images/Dockerfile.thick b/images/Dockerfile.thick
index 86ba7f807..01ecf6faa 100644
--- a/images/Dockerfile.thick
+++ b/images/Dockerfile.thick
@@ -1,9 +1,10 @@
 # This Dockerfile is used to build the image available on DockerHub
-FROM golang:1.23 AS build
+FROM --platform=$BUILDPLATFORM golang:1.23 as build
 
 # Add everything
 ADD . /usr/src/multus-cni
 
+ARG TARGETPLATFORM
 RUN  cd /usr/src/multus-cni && \
      ./hack/build-go.sh