mirror of
https://github.com/k3s-io/k3s.git
synced 2026-05-28 04:34:19 -04:00
102 lines
3.2 KiB
YAML
102 lines
3.2 KiB
YAML
name: PR Comment Triggered Trivy Scan
|
|
|
|
on:
|
|
issue_comment:
|
|
types: [created]
|
|
|
|
jobs:
|
|
trivy_scan:
|
|
if: github.event.issue.pull_request && github.event.comment.body == '/trivy'
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
pull-requests: read
|
|
steps:
|
|
- name: Check if comment author is a member of k3s-dev team
|
|
uses: actions/github-script@v7
|
|
with:
|
|
# Catch 404 errors if user is not a member of the organization
|
|
# 302 is expected as the GHA is not a member of the organization
|
|
# Users must be set their membership to public for this to work
|
|
# https://github.com/orgs/k3s-io/people
|
|
script: |
|
|
const org = context.repo.owner;
|
|
const username = context.payload.comment.user.login;
|
|
try {
|
|
const result = await github.rest.orgs.checkMembershipForUser({
|
|
org,
|
|
username,
|
|
});
|
|
} catch (error) {
|
|
core.setFailed(`User ${username} is not an public member of the ${org} organization`);
|
|
}
|
|
- name: Checkout PR code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
ref: refs/pull/${{ github.event.issue.number }}/head
|
|
|
|
- name: Build K3s Image
|
|
run: |
|
|
make local
|
|
make package-image
|
|
make tag-image-latest
|
|
|
|
- name: Download Rancher's VEX Hub report
|
|
run: curl -fsSO https://raw.githubusercontent.com/rancher/vexhub/refs/heads/main/reports/rancher.openvex.json
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@0.24.0
|
|
with:
|
|
image-ref: 'rancher/k3s:latest'
|
|
format: 'table'
|
|
severity: "HIGH,CRITICAL"
|
|
output: "trivy-report.txt"
|
|
env:
|
|
TRIVY_VEX: rancher.openvex.json
|
|
TRIVY_SHOW_SUPPRESSED: true
|
|
|
|
- name: Upload Trivy Report
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: trivy-report
|
|
path: trivy-report.txt
|
|
retention-days: 2
|
|
if-no-files-found: error
|
|
|
|
trivy_report:
|
|
needs: trivy_scan
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
pull-requests: write
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
GH_REPO: ${{ github.repository }}
|
|
steps:
|
|
- name: Download Trivy Report
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: trivy-report
|
|
|
|
- name: Add Trivy Report to PR
|
|
run: |
|
|
if [ -s trivy-report.txt ] && [ -n "$(grep -v '^\s*$' trivy-report.txt)" ]; then
|
|
echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt
|
|
echo '```' >> trivy-report.txt
|
|
gh issue comment ${{ github.event.issue.number }} -F trivy-report.txt
|
|
else
|
|
echo ':star2: No High or Critical CVEs Found :star2:' > trivy-report.txt
|
|
gh issue comment ${{ github.event.issue.number }} -F trivy-report.txt
|
|
fi
|
|
|
|
trivy_failure:
|
|
needs: trivy_scan
|
|
runs-on: ubuntu-latest
|
|
if: always() && needs.trivy_scan.result == 'failure'
|
|
permissions:
|
|
pull-requests: write
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
GH_REPO: ${{ github.repository }}
|
|
steps:
|
|
- name: Report Failure
|
|
run: |
|
|
gh issue comment ${{ github.event.issue.number }} -b ":x: Trivy scan action failed, check logs :x:"
|