feat: [SRE-826] add GH action and CI workflows #2
Conversation
| - name: Upload Trivy Report as PR Comment and parse Critical vulnerabilities | ||
| id: trivy_report_notification | ||
| if: steps.trivy_scan.outcome == 'failure' && inputs.github-token != '' | ||
| uses: actions/github-script@v7 | ||
| env: | ||
| GITHUB_TOKEN: ${{ inputs.github-token }} | ||
| SCAN_TYPE: ${{ inputs.scan-type }} |
There was a problem hiding this comment.
This can be simplified by using the Trivy SARIF output and uploading it to GitHub security scanning. That will give native alerts and CI status for anything reported, which should plug into any code security software we setup later down the line.
https://aquasecurity.github.io/trivy/v0.28.1/docs/vulnerability/examples/report/#sarif
https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml
There was a problem hiding this comment.
@btkostner I saw this option but didn't see that we GH advanced security license for this to work.
There was a problem hiding this comment.
Ah good call. Looks like we don't have it. I've only ever used it in public repos so I didn't know it was behind a license for enterprise. 👍
🤖 I have created a release *beep* *boop* --- <details><summary>1.1.0</summary> ## [1.1.0](v1.0.0...v1.1.0) (2024-06-20) ### Features * [SRE-826] add GH action and CI workflows ([#2](#2)) ([5e64a59](5e64a59)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). [SRE-826]: https://stord.atlassian.net/browse/SRE-826?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
Adding GH Action to support SRE-826 . Output sample slack notification and github PR comment in comment section in jira ticket.