-
Notifications
You must be signed in to change notification settings - Fork 0
83 lines (78 loc) · 2.74 KB
/
trivy-fs-scan.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
name: "Run TRIVY scan"
on:
workflow_call:
inputs:
github_token:
description: 'GitHub Token'
required: true
skip_dirs:
description: 'A comma separated list of folders to ignore'
required: false
directory:
description: "Directory to scan"
required: true
type: 'string'
prcomment:
description: "Enable comment on PR"
required: false
type: 'boolean'
default: false
github_pr_url:
description: "GitHub PR URL"
required: false
type: 'string'
default: ''
template:
description: "url to comment template"
required: false
type: 'string'
default: 'https://raw.githubusercontent.com/domstolene/trivy-pr-report/main/trivy-pr-comment.tpl'
severity:
description: "Trivy severity (CSV values: MEDIUM,HIGH,CRITICAL)"
required: false
type: 'string'
default: 'CRITICAL,HIGH'
permissions:
pull-requests: write
jobs:
name: run-scan
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'template'
output: 'trivy.json'
severity: ${{ inputs.severity }}
skip-dirs: ${{ inputs.skip_dirs }}
exit-code: ${{ inputs.prcomment && '1' || '0' }}
- name: Report vulnerabilities in PR
if: ${{ inputs.prcomment }} && failure() && steps.scan.outcome == 'failure'
env:
GITHUB_TOKEN: ${{ inputs.github_token }}
shell: bash
run: |
echo -n "{\"body\":\"### Vulnerabilities detected\nThe following vulnerabilities of ${{ inputs.severity }} severity has been detected in the code. Please resolve these before merging the pull request.\n\n" > result.json
cat trivy.json | sort | uniq | tr -d '\n' >> result.json
echo "\"}" >> result.json
curl -X POST -H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
-H "Authorization: Bearer $GITHUB_TOKEN" \
${{ inputs.github_pr_url }} \
-d @result.json
- name: Report no vulnerabilities in PR
if: ${{ inputs.prcomment }} && success() && steps.scan.outcome == 'success'
env:
GITHUB_TOKEN: ${{ inputs.github_token }}
shell: bash
run: |
echo -n "{\"body\":\"### No vulnerabilities detected\nNo vulnerabilities of HIGH or CRITICAL severity has been detected in the code.\"}" > result.json
curl -X POST -H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
-H "Authorization: Bearer $GITHUB_TOKEN" \
${{ inputs.github_pr_url }} \
-d @result.json