On Branch: release with Image: appsmith/cloud-services:release #139

Workflow file for this run

.github/workflows/test-vulnerabilities-data.yml at 3442aeb

	name: Run Vulnerability

	run-name: >
	On Branch: ${{ github.ref_name }} with Image: ${{ inputs.image_name \|\| 'appsmith/appsmith-ce:release' }}

	on:
	workflow_dispatch:
	inputs:
	image_name:
	description: 'Docker image name to scan'
	required: true
	default: 'appsmith/appsmith-ce:release'

	jobs:
	run-and-update-pr:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout repository
	uses: actions/checkout@v3

	- name: Set up Node.js
	uses: actions/setup-node@v3
	with:
	node-version: '20'

	- name: Login to DockerHub
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKER_HUB_USERNAME }}
	password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

	- name: Install pg
	run: npm install pg

	# Run Scout vulnerability data script
	- name: Run Scout vulnerability data script
	if: always()
	env:
	DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
	DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
	DB_USER: ${{ secrets.CYPRESS_DB_USER }}
	DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
	run: \|
	chmod +x scripts/scout_vulnerabilities_data.sh
	./scripts/scout_vulnerabilities_data.sh \
	"${{ inputs.image_name }}" \
	"${{ github.event.pull_request.number }}" \
	"${{ github.event.pull_request.html_url }}" \
	"${{ github.run_id }}"

	- name: Run Trivy vulnerability data script
	if: always()
	env:
	DB_HOST: ${{ secrets.CYPRESS_DB_HOST }}
	DB_NAME: ${{ secrets.CYPRESS_DB_NAME }}
	DB_USER: ${{ secrets.CYPRESS_DB_USER }}
	DB_PWD: ${{ secrets.CYPRESS_DB_PWD }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	echo "${{ secrets.GITHUB_TOKEN }}" \| docker login ghcr.io -u "${{ github.actor }}" --password-stdin
	chmod +x scripts/trivy_vulnerabilities_data.sh
	./scripts/trivy_vulnerabilities_data.sh \
	"${{ inputs.image_name }}" \
	"${{ github.event.pull_request.number }}" \
	"${{ github.event.pull_request.html_url }}" \
	"${{ github.run_id }}"

	- name: Check for new vulnerabilities in Scout and Trivy files
	if: always()
	run: \|
	# Check if Scout vulnerabilities file has data after the header
	if [ $(tail -n +2 scout_new_vulnerabilities.csv \| wc -l) -gt 0 ]; then
	echo "Scout vulnerabilities detected."
	cat scout_new_vulnerabilities.csv
	exit 1 # Fail the job if data exists
	else
	echo "No new Scout vulnerabilities detected."
	fi

	# Check if Trivy vulnerabilities file has data after the header
	if [ $(tail -n +2 trivy_new_vulnerabilities.csv \| wc -l) -gt 0 ]; then
	echo "Trivy vulnerabilities detected."
	cat trivy_new_vulnerabilities.csv
	exit 1 # Fail the job if data exists
	else
	echo "No new Trivy vulnerabilities detected."
	fi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

On Branch: release with Image: appsmith/cloud-services:release #139

Workflow file

On Branch: release with Image: appsmith/cloud-services:release #139

Jobs

Run details

Workflow file for this run