forked from k3s-io/k3s
-
Notifications
You must be signed in to change notification settings - Fork 1
38 lines (34 loc) · 1.04 KB
/
trivy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
name: PR Comment Triggered Trivy Scan
on:
issue_comment:
types: [created]
jobs:
trivy_scan:
if: github.event.issue.pull_request && github.event.comment.body == '/trivy'
runs-on: ubuntu-latest
permissions:
pull-requests: write
env:
GH_TOKEN: ${{ github.token }}
steps:
- name: Checkout PR code
uses: actions/checkout@v4
with:
ref: ${{ github.event.issue.pull_request.head.ref }}
- name: Build K3s Image
run: make package-image
- name: On Failure, Launch Debug Session
uses: dereknola/action-upterm@v1
if: ${{ failure() }}
with:
## If no one connects after 5 minutes, shut down server.
wait-timeout-minutes: 5
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
with:
image-ref: 'rancher/k3s'
format: 'table'
severity: "HIGH,CRITICAL"
output: "trivy-report.txt"
- name: Add Trivy Report to PR
run: gh pr comment ${{ github.event.issue.number }} -F trivy-report.txt