From 2968e74714b149b04f1dba489e7c0942a6ff0d5c Mon Sep 17 00:00:00 2001 From: Evan Date: Mon, 12 Aug 2024 16:20:49 -0700 Subject: [PATCH 1/2] Permissions + Comment Fix --- .github/workflows/pr-scan.yml | 40 +++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/.github/workflows/pr-scan.yml b/.github/workflows/pr-scan.yml index af510ccc3b..fb0d4c671b 100644 --- a/.github/workflows/pr-scan.yml +++ b/.github/workflows/pr-scan.yml @@ -1,8 +1,8 @@ name: PR Security Scan on: - pull_request: - types: [opened, synchronize, reopened] - workflow_dispatch: + pull_request_target: + branches: ['**'] + jobs: scan: runs-on: ubuntu-latest @@ -12,6 +12,7 @@ jobs: with: fetch-depth: 0 submodules: 'recursive' + - name: Build the Docker image uses: docker/build-push-action@v5 with: @@ -19,6 +20,7 @@ jobs: push: false load: true tags: pr_image:${{ github.sha }} + - name: Run Trivy vulnerability scanner on image uses: aquasecurity/trivy-action@0.20.0 with: @@ -26,6 +28,7 @@ jobs: format: 'json' output: 'trivy-image-results.json' severity: 'CRITICAL,HIGH' + - name: Run Trivy vulnerability scanner on source code uses: aquasecurity/trivy-action@0.20.0 with: @@ -34,10 +37,12 @@ jobs: format: 'json' output: 'trivy-fs-results.json' severity: 'CRITICAL,HIGH' - - name: Process and post Trivy scan results + + - name: Process Trivy scan results + id: process-results uses: actions/github-script@v7 with: - github-token: ${{secrets.GITHUB_TOKEN}} + github-token: ${{ secrets.GITHUB_TOKEN }} script: | const fs = require('fs'); let commentBody = '## Security Scan Results for PR\n\n'; @@ -79,9 +84,22 @@ jobs: commentBody += 'Please contact the core team for assistance.'; } - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: commentBody - }); + core.setOutput('comment-body', commentBody); + + - name: Find Comment + uses: peter-evans/find-comment@v3 + id: fc + with: + token: ${{ secrets.GITHUB_TOKEN }} + issue-number: ${{ github.event.pull_request.number }} + comment-author: 'github-actions[bot]' + body-includes: Security Scan Results for PR + + - name: Create or update comment + uses: peter-evans/create-or-update-comment@v3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + issue-number: ${{ github.event.pull_request.number }} + comment-id: ${{ steps.fc.outputs.comment-id }} + body: ${{ steps.process-results.outputs.comment-body }} + edit-mode: replace From 19c81aa76f090fd7162ab91bb4b7a66c3dd8c085 Mon Sep 17 00:00:00 2001 From: Evan Date: Fri, 16 Aug 2024 16:21:16 -0700 Subject: [PATCH 2/2] Scan Refactor --- .github/workflows/pr-scan.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pr-scan.yml b/.github/workflows/pr-scan.yml index fb0d4c671b..eded58985d 100644 --- a/.github/workflows/pr-scan.yml +++ b/.github/workflows/pr-scan.yml @@ -1,15 +1,19 @@ name: PR Security Scan -on: +on: pull_request_target: - branches: ['**'] - + types: [opened, synchronize, reopened] + jobs: scan: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - - name: Check out code + - name: Check out code uses: actions/checkout@v4 with: + ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 submodules: 'recursive' @@ -42,7 +46,6 @@ jobs: id: process-results uses: actions/github-script@v7 with: - github-token: ${{ secrets.GITHUB_TOKEN }} script: | const fs = require('fs'); let commentBody = '## Security Scan Results for PR\n\n'; @@ -85,12 +88,10 @@ jobs: } core.setOutput('comment-body', commentBody); - - name: Find Comment uses: peter-evans/find-comment@v3 id: fc with: - token: ${{ secrets.GITHUB_TOKEN }} issue-number: ${{ github.event.pull_request.number }} comment-author: 'github-actions[bot]' body-includes: Security Scan Results for PR @@ -98,7 +99,6 @@ jobs: - name: Create or update comment uses: peter-evans/create-or-update-comment@v3 with: - token: ${{ secrets.GITHUB_TOKEN }} issue-number: ${{ github.event.pull_request.number }} comment-id: ${{ steps.fc.outputs.comment-id }} body: ${{ steps.process-results.outputs.comment-body }}