-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
112 lines (102 loc) · 3.77 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
name: "Container image scanner"
description: "Scan the container image and upload the results to GitHub"
inputs:
image:
description: "The full image name, including hash or tag"
required: true
severity:
description: "severity"
required: true
default: "LOW,MEDIUM,HIGH,CRITICAL"
exit-code:
description: "Exit code when specified vulnerabilities are found"
required: true
default: "1"
vuln-type:
description: "Vulnerability types to scan for (os,library)"
required: true
default: "os"
trivy-output:
description: "Trivy SARIF file output path relative to root"
required: true
default: "trivy-results.sarif"
trivyignores:
description: "Comma-separated list of relative paths in repository to one or more .trivyignore files"
required: false
python-version:
description: "The Python version to use. Should work with 3.7+"
required: true
default: "3.12"
runs:
using: "composite"
steps:
- name: Trivy scan
uses: aquasecurity/trivy-action@0.29.0
with:
scan-type: "image"
scanners: "vuln"
image-ref: ${{ inputs.image }}
timeout: "15m"
hide-progress: true
ignore-unfixed: true
vuln-type: ${{ inputs.vuln-type }}
severity: ${{ inputs.severity }}
limit-severities-for-sarif: true
trivyignores: ${{ inputs.trivyignores }}
format: "sarif"
output: ${{ inputs.trivy-output }}
exit-code: "0"
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: ${{ inputs.python-version }}
- name: Modify SARIF category
shell: bash
run: python ${{ github.action_path }}/sarif.py "${{ inputs.image }}" "${{ inputs.trivy-output }}"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ inputs.trivy-output }}
- name: Check for Trivy findings
shell: bash
if: ${{ github.event_name == 'pull_request' }}
run: |
findings=$(jq '.runs[].results | length' "${{ inputs.trivy-output }}")
if [ "$findings" -gt 0 ]; then
echo "findings=true" >> "$GITHUB_ENV"
else
echo "findings=false" >> "$GITHUB_ENV"
fi
- name: Find Comment
if: ${{ github.event_name == 'pull_request' }}
uses: peter-evans/find-comment@v3
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: 'github-actions[bot]'
body-includes: ${{ inputs.image }}
- name: Resolve findings comment
if: ${{ steps.fc.outputs.comment-id != '' && env.findings == 'false' && github.event_name == 'pull_request' }}
uses: peter-evans/create-or-update-comment@v4
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
🌟 No vulnerabilities in image:
`${{ inputs.image }}`
edit-mode: replace
- name: Create findings comment
if: ${{ steps.fc.outputs.comment-id == '' && env.findings == 'true' && github.event_name == 'pull_request' }}
uses: peter-evans/create-or-update-comment@v4
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
🚨 Vulnerabilities were found for image:
`${{ inputs.image }}`
[View all pull request alerts](https://github.com/${{ github.repository }}/security/code-scanning?query=pr%3A${{ github.event.pull_request.number }}+tool%3ATrivy+is%3Aopen)
edit-mode: replace
- name: Exit run
if: ${{ env.findings == 'true' && inputs.exit-code == '1' && github.event_name == 'pull_request' }}
shell: bash
run: exit 1