diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 0000000000..df01d4479c --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,48 @@ +name: PR Comment Triggered Trivy Scan + +on: + issue_comment: + types: [created] + +jobs: + trivy_scan: + if: github.event.issue.pull_request && github.event.comment.body == '/trivy' + runs-on: ubuntu-latest + permissions: + pull-requests: write + env: + GH_TOKEN: ${{ github.token }} + steps: + - name: Checkout PR code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.issue.pull_request.head.ref }} + + - name: Comment Status on PR + run: | + gh repo set-default ${{ github.repository }} + gh pr comment ${{ github.event.issue.number }} -b ":construction: Running Trivy scan on PR :construction: " + + - name: Build K3s Image + run: | + make local + make package-image + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: 'rancher/k3s' + format: 'table' + severity: "HIGH,CRITICAL" + output: "trivy-report.txt" + + - name: Add Trivy Report to PR + run: | + echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt + echo '```' >> trivy-report.txt + gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt + + - name: Report Failure + if: ${{ failure() }} + run: | + gh issue comment ${{ github.event.issue.number }} --edit-last -b ":x: Trivy scan action failed, check logs :x:" \ No newline at end of file