From f91b3a257fea70bde0dadd0213360ce476fbfece Mon Sep 17 00:00:00 2001 From: terminus-devops Date: Tue, 20 May 2025 10:34:53 +0000 Subject: [PATCH] Add GitHub Actions workflow --- .../workflows/vulnerability_scan_public.yaml | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 .github/workflows/vulnerability_scan_public.yaml diff --git a/.github/workflows/vulnerability_scan_public.yaml b/.github/workflows/vulnerability_scan_public.yaml new file mode 100644 index 0000000..e064835 --- /dev/null +++ b/.github/workflows/vulnerability_scan_public.yaml @@ -0,0 +1,96 @@ +name: Vulnerability Scan + +on: + pull_request: + branches: + - master + - main + - release + - dev + - stage + +jobs: + vulnerability-scan: + name: Vulnerability Scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.30.0 + with: + scan-type: 'fs' + scanners: 'vuln' + ignore-unfixed: true + format: "table" + severity: "HIGH,CRITICAL" + output: trivy-result.txt + + - name: Check Trivy result file + # shell: bash --norc -l -e -o pipefail {0} + run: cat trivy-result.txt + + - name: Count HIGH/CRITICAL vulnerabilities + # shell: bash --norc -l -e -o pipefail {0} + id: count_vulns + run: | + # Summary table + awk ' + BEGIN { in_table=0 } + /^┌/ { if (in_table == 0) { in_table=1; print; next } } + /^└/ { if (in_table == 1) { print; exit } } + { if (in_table == 1) print } + ' trivy-result.txt > Summary-table.txt + + echo "Report Summary:" + cat Summary-table.txt + + # Extract "Vulnerabilities" column and sum the numbers + col=$(awk -F'│' '/Vulnerabilities/ { for (i=1;i<=NF;i++) if ($i ~ /Vulnerabilities/) print i; exit }' Summary-table.txt) + total=$(awk -v col="$col" -F'│' 'NR > 3 && $0 ~ /^│/ { gsub(/ /, "", $col); sum += $col } END { print sum }' Summary-table.txt) + + echo "Total vulnerabilities (HIGH/CRITICAL): $total" + echo "vuln_total=$total" >> $GITHUB_ENV + echo "report_url=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" >> $GITHUB_ENV + + - name: Find previous comment + id: find-comment + uses: peter-evans/find-comment@v3 + with: + issue-number: ${{ github.event.pull_request.number }} + comment-author: 'github-actions[bot]' + body-includes: Trivy Scan Report + + - name: Set conditional comment body + # shell: bash --norc -l -e -o pipefail {0} + id: comment-body + run: | + if [ "${{ env.vuln_total }}" != 0 ]; then + echo -e "## Trivy Scan Report:\n${{ env.vuln_total }} vulnerabilities(HIGH/CRITICAL) found!\n[View report](${{ env.report_url }})" >> brief-trivy-summary.md + else + echo -e "## Trivy Scan Report:\nNo vulnerabilities(HIGH/CRITICAL) found!" >> brief-trivy-summary.md + fi + + - name: Post Vulnerability Count as PR Comment + uses: peter-evans/create-or-update-comment@v3 + with: + comment-id: ${{ steps.find-comment.outputs.comment-id }} + edit-mode: replace + issue-number: ${{ github.event.pull_request.number }} + body-path: brief-trivy-summary.md + + - name: Format Trivy Scan Result + # shell: bash --norc -l -e -o pipefail {0} + run: | + if [ "${{ env.vuln_total }}" != 0 ]; then + echo -e "\n\`\`\`\n$(cat trivy-result.txt)\n\`\`\`\n" > formatted-trivy-result.md + else + echo -e "\nNo vulnerabilities(HIGH/CRITICAL) were detected." > formatted-trivy-result.md + fi + + - name: Publish Trivy report to GitHub summary + # shell: bash --norc -l -e -o pipefail {0} + run: | + echo "## Trivy Scan Report" >> $GITHUB_STEP_SUMMARY + cat formatted-trivy-result.md >> $GITHUB_STEP_SUMMARY