Skip to content
/ github.action.security-scan Public
generated from bricklanetech/template.github-action

Composite action for running security scan

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

bricklanetech/github.action.security-scan

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 

Repository files navigation

Security code scanning using Trivy

This composite GitHub Action automates the process of scanning source code for vulnerabilities and then adds a comment to the associated pull request with a detailed list of any vulnerabilities discovered. It integrates with Trivy, a vulnerability scanner, to perform the code analysis.

This GitHub Action is designed to enhance the security of your repository by automating vulnerability scanning during the pull request process. It allows developers to be informed about potential security issues as part of their code review process, promoting safer and more secure software development.

Workflow Steps

Scan Source Code:
Trivy scans the specified source code, generating a JSON report containing vulnerability information.

Read Trivy Results:
The table report generated by Trivy scan is read, and the vulnerabilities detected are extracted. The extracted vulnerabilities are stored as an output to be used later.

Create Comment:
If vulnerabilities are detected (based on the extracted results), this step constructs a detailed comment. For each vulnerability, the comment includes information such as the Vulnerability ID, Severity, Package Name, Installed Version, Description, and References. The comment is formatted for easy readability.

Add Comment to Pull Request:
Using the GitHub REST API provided by the thollander/actions-comment-pull-request action, this step adds the constructed comment to the pull request that triggered the workflow run. The comment contains the list of vulnerabilities found during the Trivy scan.

Future improvements

  1. Comment step could be improved using additional templating and adding additional references to required items.
  2. Update action with force fail parameter of runing pipeline yml exit-code: 0

How to use:

Example 1: Basic setup, only GitHub Token required

- name: Run security scan
  uses: propertylift/github.action.security-scan
  with:
    token: ${{ secrets.GITHUB_TOKEN }}

Example 2: Extended configuration

- name: Run security scan
  uses: propertylift/github.action.security-scan
  with:
    severity: 'MEDIUM,HIGH,CRITICAL'
    token: ${{ secrets.GITHUB_TOKEN }}

Inputs:

Parameter Name Required Default Description
severity No UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL Severities of vulnerabilities to scanned for and displayed
token Yes - GITHUB_TOKEN
resultFile No trivy-scan-results.output File contain security scan result
templateFile No trivy_markdown.tpl File containe Trivy template data

About

Composite action for running security scan

Topics

security github-actions trivy trivy-scan

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases

14 tags

Packages