mirror of https://github.com/k3s-io/k3s.git
50 lines
1.4 KiB
YAML
50 lines
1.4 KiB
YAML
name: PR Comment Triggered Trivy Scan
|
|
|
|
on:
|
|
issue_comment:
|
|
types: [created]
|
|
|
|
jobs:
|
|
trivy_scan:
|
|
if: github.event.issue.pull_request && github.event.comment.body == '/trivy'
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
pull-requests: write
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
steps:
|
|
- name: Checkout PR code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
ref: refs/pull/${{ github.event.issue.number }}/head
|
|
|
|
- name: Comment Status on PR
|
|
run: |
|
|
gh repo set-default ${{ github.repository }}
|
|
gh pr comment ${{ github.event.issue.number }} -b ":construction: Running Trivy scan on PR :construction: "
|
|
|
|
- name: Build K3s Image
|
|
run: |
|
|
make local
|
|
make package-image
|
|
make tag-image-latest
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@0.24.0
|
|
with:
|
|
image-ref: 'rancher/k3s:latest'
|
|
format: 'table'
|
|
severity: "HIGH,CRITICAL"
|
|
output: "trivy-report.txt"
|
|
|
|
- name: Add Trivy Report to PR
|
|
run: |
|
|
echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt
|
|
echo '```' >> trivy-report.txt
|
|
gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt
|
|
|
|
- name: Report Failure
|
|
if: ${{ failure() }}
|
|
run: |
|
|
gh issue comment ${{ github.event.issue.number }} --edit-last -b ":x: Trivy scan action failed, check logs :x:"
|