Commit be60661f authored by Derek Nola's avatar Derek Nola Committed by Brad Davidson

Add trivy scanning trigger for PRs (#10758)

Signed-off-by: 's avatarDerek Nola <derek.nola@suse.com> (cherry picked from commit fa6940d0) Signed-off-by: 's avatarBrad Davidson <brad.davidson@rancher.com>
parent e0c4e601
name: PR Comment Triggered Trivy Scan
on:
issue_comment:
types: [created]
jobs:
trivy_scan:
if: github.event.issue.pull_request && github.event.comment.body == '/trivy'
runs-on: ubuntu-latest
permissions:
pull-requests: write
env:
GH_TOKEN: ${{ github.token }}
steps:
- name: Checkout PR code
uses: actions/checkout@v4
with:
ref: ${{ github.event.issue.pull_request.head.ref }}
- name: Comment Status on PR
run: |
gh repo set-default ${{ github.repository }}
gh pr comment ${{ github.event.issue.number }} -b ":construction: Running Trivy scan on PR :construction: "
- name: Build K3s Image
run: |
make local
make package-image
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'rancher/k3s'
format: 'table'
severity: "HIGH,CRITICAL"
output: "trivy-report.txt"
- name: Add Trivy Report to PR
run: |
echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt
echo '```' >> trivy-report.txt
gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt
- name: Report Failure
if: ${{ failure() }}
run: |
gh issue comment ${{ github.event.issue.number }} --edit-last -b ":x: Trivy scan action failed, check logs :x:"
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment