Add trivy scanning trigger for PRs (#10758)

Signed-off-by: Derek Nola <derek.nola@suse.com> (cherry picked from commit fa6940d03d) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
3 months ago · a5b8a81422
1 changed files with 48 additions and 0 deletions
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@ -0,0 +1,48 @@
+name: PR Comment Triggered Trivy Scan
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  trivy_scan:
+    if: github.event.issue.pull_request && github.event.comment.body == '/trivy'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    env:
+      GH_TOKEN: ${{ github.token }}
+    steps:
+    - name: Checkout PR code
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.issue.pull_request.head.ref }}
+    
+    - name: Comment Status on PR
+      run: |
+        gh repo set-default ${{ github.repository }}
+        gh pr comment ${{ github.event.issue.number }} -b ":construction: Running Trivy scan on PR :construction: "
+
+    - name: Build K3s Image
+      run: |
+        make local
+        make package-image
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@0.20.0
+      with:
+        image-ref: 'rancher/k3s'
+        format: 'table'
+        severity: "HIGH,CRITICAL"
+        output: "trivy-report.txt"
+    
+    - name: Add Trivy Report to PR
+      run: |
+        echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt
+        echo '```' >> trivy-report.txt
+        gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt
+    
+    - name: Report Failure
+      if: ${{ failure() }}
+      run: |
+        gh issue comment ${{ github.event.issue.number }} --edit-last -b ":x: Trivy scan action failed, check logs :x:"