diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 44cd7d1dddcfc..526b36bf48774 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -1,4 +1,4 @@ -name: Run vulnerability scans and comment on PR +name: PR Vulnerability Scan on: pull_request permissions: @@ -10,7 +10,8 @@ jobs: name: Snyk Scan runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - name: Checkout code + uses: actions/checkout@master - name: Run Snyk to check for vulnerabilities uses: snyk/actions/golang@master continue-on-error: true # To make sure that PR comment is made @@ -19,7 +20,7 @@ jobs: with: command: test args: --severity-threshold=high > snyk-results.txt - - name: Add Snyk scan results to PR + - name: Comment on PR with Snyk scan results uses: mshick/add-pr-comment@v2 with: message-path: snyk-results.txt @@ -30,7 +31,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - - name: Build an image from Dockerfile + - name: Build Loki Image run: | IMAGE_TAG="$(./tools/image-tag)" make loki-image @@ -40,10 +41,20 @@ jobs: uses: aquasecurity/trivy-action@master with: image-ref: "docker.io/grafana/loki:${{ env.IMAGE_TAG }}" - format: "table" - output: "trivy-results.txt" + format: "json" + output: "trivy.json" + + - name: Generate Message + uses: sergeysova/jq-action@v2 + id: trivy-message + with: + cmd: jq -r '.Results[] | .Vulnerabilities[] | "* \(.Severity) [\(.Title)](\(.PrimaryURL)) in \(.PkgName) v\(.InstalledVersion). Fixed in v\(.FixedVersion)"' trivy.json + multiline: true - - name: Add Trivy scan results to PR + - name: Comment on PR with Trivy scan results uses: mshick/add-pr-comment@v2 with: - message-path: trivy-results.txt + message: | + Trivy scan found the following vulernbilities: + + ${{ steps.trivy-message.outputs.value }}