-
Notifications
You must be signed in to change notification settings - Fork 3.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add vulnerability scanning github action (#11096)
Adds a GitHub action that will run `snyk` and `trivy` scans against PRs and comment on the PR if a high or critical vulnerability is found
- Loading branch information
1 parent
91ec2fc
commit 060600c
Showing
1 changed file
with
90 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,90 @@ | ||
| name: PR Vulnerability Scan | ||
| on: pull_request | ||
|
|
||
| permissions: | ||
| pull-requests: write | ||
| contents: write | ||
|
|
||
| jobs: | ||
| snyk: | ||
| name: Snyk Scan | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@master | ||
| - name: Run Snyk to check for vulnerabilities | ||
| uses: snyk/actions/golang@master | ||
| continue-on-error: true # To make sure that PR comment is made | ||
| env: | ||
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
| with: | ||
| command: test | ||
| args: --severity-threshold=high --json-file-output=snyk.json | ||
|
|
||
| - name: Prepare Snyk message | ||
| run: | | ||
| echo "Snyk scan found the following vulnerabilities:" > snyk.txt | ||
| - name: Format Snyk Message | ||
| uses: sergeysova/jq-action@v2 | ||
| continue-on-error: true | ||
| with: | ||
| cmd: jq -r '.vulnerabilities[] | "* **\(.severity)** - [\(.identifiers.CVE[0])] \(.title) in `\(.moduleName)` v\(.version). Fixed in \(.fixedIn)"' snyk.json >> snyk.txt | ||
|
|
||
| - name: Determine whether to comment | ||
| continue-on-error: true | ||
| id: should-comment | ||
| run: | | ||
| if [[ $(wc -l < snyk.txt) -gt 1 ]]; then exit 0; fi | ||
| exit 1 | ||
| - name: Comment on PR with Snyk scan results | ||
| uses: mshick/add-pr-comment@v2 | ||
| if: ${{ steps.should-comment.outcome == 'success' }} | ||
| with: | ||
| message-id: snyk-${{ github.event.number }} | ||
| message-path: snyk.txt | ||
| trivy: | ||
| name: Trivy Scan | ||
| runs-on: ubuntu-20.04 | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Build Loki Image | ||
| run: | | ||
| IMAGE_TAG="$(./tools/image-tag)" | ||
| make loki-image | ||
| echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV | ||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| image-ref: "docker.io/grafana/loki:${{ env.IMAGE_TAG }}" | ||
| format: "json" | ||
| output: "trivy.json" | ||
| severity: "CRITICAL,HIGH" | ||
|
|
||
| - name: Prepare Trivy Message | ||
| run: | | ||
| echo "Trivy scan found the following vulnerabilities:" > trivy.txt | ||
| - name: Format Trivy Message | ||
| uses: sergeysova/jq-action@v2 | ||
| continue-on-error: true | ||
| with: | ||
| cmd: jq -r '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | "* **\(.Severity)** [\(.Title)](\(.PrimaryURL)) in `\(.PkgName)` v\(.InstalledVersion). Fixed in v\(.FixedVersion)"' trivy.json >> trivy.txt | ||
|
|
||
| - name: Determine whether to comment | ||
| continue-on-error: true | ||
| id: should-comment | ||
| run: | | ||
| if [[ $(wc -l < trivy.txt) -gt 1 ]]; then exit 0; fi | ||
| exit 1 | ||
| - name: Comment on PR with Trivy scan results | ||
| uses: mshick/add-pr-comment@v2 | ||
| if: ${{ steps.should-comment.outcome == 'success' }} | ||
| with: | ||
| message-id: trivy-${{ github.event.number }} | ||
| message-path: trivy.txt |