Skip to content
PR Security Scan

fix(sections): ReconstructableSection as policy #4664

Sign in to view logs

fix(sections): ReconstructableSection as policy

fix(sections): ReconstructableSection as policy #4664

Workflow file for this run

.github/workflows/pr-security-scan.yml at a2ea831
name: PR Security Scan
on:
pull_request:
branches:
- "**"
merge_group:
types:
- checks_requested
permissions:
contents: read
security-events: write
pull-requests: write # For adding comments to PRs
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
env:
TRIVY_SEVERITY: "CRITICAL,HIGH,MEDIUM,LOW"
jobs:
build-and-scan:
runs-on: ubuntu-latest
strategy:
matrix:
image:
- name: "refiner-app"
dockerfile: "Dockerfile.app"
- name: "refiner-lambda"
dockerfile: "Dockerfile.lambda"
- name: "refiner-ops"
dockerfile: "Dockerfile.ops"
fail-fast: false
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Build image locally (no push)
uses: docker/build-push-action@v7
with:
context: .
file: ${{ matrix.image.dockerfile }}
load: true # Load locally for scanning only
tags: local-scan/${{ matrix.image.name }}:${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Trivy vulnerability scanner (SARIF)
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
image-ref: local-scan/${{ matrix.image.name }}:${{ github.sha }}
format: "sarif"
output: "trivy-${{ matrix.image.name }}-results.sarif"
severity: ${{ env.TRIVY_SEVERITY }}
ignore-unfixed: true
timeout: "10m"
- name: Run Trivy vulnerability scanner (JSON for PR comment)
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
image-ref: local-scan/${{ matrix.image.name }}:${{ github.sha }}
format: "json"
output: "trivy-${{ matrix.image.name }}-results.json"
severity: ${{ env.TRIVY_SEVERITY }}
ignore-unfixed: true
timeout: "10m"
- name: Display Trivy results as table
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
image-ref: local-scan/${{ matrix.image.name }}:${{ github.sha }}
format: "table"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: "trivy-${{ matrix.image.name }}-results.sarif"
category: "pr-scan-${{ matrix.image.name }}"
- name: Upload JSON results as artifact
uses: actions/upload-artifact@v7
if: always()
with:
name: trivy-results-${{ matrix.image.name }}
path: trivy-${{ matrix.image.name }}-results.json
retention-days: 5
- name: Generate scan summary
if: always()
run: |
echo "## Security Scan Results for ${{ matrix.image.name }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ -f "trivy-${{ matrix.image.name }}-results.sarif" ]; then
echo "Vulnerability scan completed successfully" >> $GITHUB_STEP_SUMMARY
echo "Results uploaded to Security tab" >> $GITHUB_STEP_SUMMARY
echo "Category: pr-scan-${{ matrix.image.name }}" >> $GITHUB_STEP_SUMMARY
else
echo "Scan failed or no results generated" >> $GITHUB_STEP_SUMMARY
fi
scan-summary:
runs-on: ubuntu-latest
needs: build-and-scan
if: always()
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Download scan results
uses: actions/download-artifact@v8
with:
pattern: trivy-results-*
merge-multiple: true
- name: PR Security Summary with Details
uses: actions/github-script@v7
with:
script: |
const script = require('./.github/scripts/security-summary.js');
await script.generatePRSummary(github, context, core);