Add trivy scanning trigger for PRs (#10758)

Signed-off-by: Derek Nola <derek.nola@suse.com>
k3s-io · Aug 30, 2024 · fa6940d · fa6940d
1 parent 0b4d249
commit fa6940d
Showing 1 changed file with 48 additions and 0 deletions.
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,48 @@
+name: PR Comment Triggered Trivy Scan
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  trivy_scan:
+    if: github.event.issue.pull_request && github.event.comment.body == '/trivy'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    env:
+      GH_TOKEN: ${{ github.token }}
+    steps:
+    - name: Checkout PR code
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.issue.pull_request.head.ref }}
+
+    - name: Comment Status on PR
+      run: |
+        gh repo set-default ${{ github.repository }}
+        gh pr comment ${{ github.event.issue.number }} -b ":construction: Running Trivy scan on PR :construction: "
+
+    - name: Build K3s Image
+      run: |
+        make local
+        make package-image
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@0.20.0
+      with:
+        image-ref: 'rancher/k3s'
+        format: 'table'
+        severity: "HIGH,CRITICAL"
+        output: "trivy-report.txt"
+
+    - name: Add Trivy Report to PR
+      run: |
+        echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt
+        echo '```' >> trivy-report.txt
+        gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt
+    
+    - name: Report Failure
+      if: ${{ failure() }}
+      run: |
+        gh issue comment ${{ github.event.issue.number }} --edit-last -b ":x: Trivy scan action failed, check logs :x:"