Add trivy scanning trigger for PRs (k3s-io#10758)

Signed-off-by: Derek Nola <derek.nola@suse.com> (cherry picked from commit fa6940d) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
brandond · Sep 5, 2024 · dbcc108 · dbcc108
1 parent 9973e7a
commit dbcc108
Showing 1 changed file with 48 additions and 0 deletions.
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,48 @@
+name: PR Comment Triggered Trivy Scan
+
+on:
+ issue_comment:
+ types: [created]
+
+jobs:
+ trivy_scan:
+ if: github.event.issue.pull_request && github.event.comment.body == '/trivy'
+ runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write
+ env:
+ GH_TOKEN: ${{ github.token }}
+ steps:
+ - name: Checkout PR code
+ uses: actions/checkout@v4
+ with:
+ ref: ${{ github.event.issue.pull_request.head.ref }}
+
+ - name: Comment Status on PR
+ run: |
+ gh repo set-default ${{ github.repository }}
+ gh pr comment ${{ github.event.issue.number }} -b ":construction: Running Trivy scan on PR :construction: "
+
+ - name: Build K3s Image
+ run: |
+ make local
+ make package-image
+
+ - name: Run Trivy vulnerability scanner
+ uses: aquasecurity/trivy-action@0.20.0
+ with:
+ image-ref: 'rancher/k3s'
+ format: 'table'
+ severity: "HIGH,CRITICAL"
+ output: "trivy-report.txt"
+
+ - name: Add Trivy Report to PR
+ run: |
+ echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt
+ echo '```' >> trivy-report.txt
+ gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt
+ 
+ - name: Report Failure
+ if: ${{ failure() }}
+ run: |
+ gh issue comment ${{ github.event.issue.number }} --edit-last -b ":x: Trivy scan action failed, check logs :x:"