Skip to content
build

Patch/flask jinja2 updates #71

Sign in to view logs

Patch/flask jinja2 updates

Patch/flask jinja2 updates #71

Workflow file for this run

.github/workflows/Trivy-Reviewdog-scan.yml at 97bbe92
name: build
on:
push:
branches:
- main
pull_request:
jobs:
trivy-repo-scan:
name: Trivy Repo Scan & Upload to Security Tab
runs-on: ubuntu-latest
permissions:
contents: write
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: "fs"
ignore-unfixed: true
format: "sarif"
output: "trivy-results.sarif"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
reviewdog-pr-check:
name: Trivy PR Check
runs-on: ubuntu-latest
needs: trivy-repo-scan
if: github.event_name == 'pull_request'
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout code (full history)
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Trivy CLI
uses: aquasecurity/setup-trivy@v0.2.1
- name: Get changed files (PR base..head)
shell: bash
run: |
echo "Base SHA: ${{ github.event.pull_request.base.sha }}"
echo "Head SHA: ${{ github.event.pull_request.head.sha }}"
git diff --name-only \
${{ github.event.pull_request.base.sha }} \
${{ github.event.pull_request.head.sha }} \
> changed-files.txt
echo "Changed files:"
cat changed-files.txt || true
- name: Filter dependency files (Python + Node)
id: depfilter
shell: bash
run: |
grep -E "(^|/)(requirements(\-dev)?\.txt|package-lock\.json)$" changed-files.txt > dep-changed-files.txt || true
echo "Dependency files changed:"
cat dep-changed-files.txt || true
if [ -s dep-changed-files.txt ]; then
echo "has_deps=true" >> $GITHUB_OUTPUT
else
echo "has_deps=false" >> $GITHUB_OUTPUT
fi
- name: Run Trivy on changed dependency files (JSON per file)
if: steps.depfilter.outputs.has_deps == 'true'
shell: bash
run: |
mkdir -p trivy-results
while IFS= read -r file; do
[ -f "$file" ] || continue
safe="$(echo "$file" | sed 's|/|_|g')"
echo "Scanning $file..."
trivy fs \
--scanners vuln \
--severity HIGH,CRITICAL \
--ignore-unfixed \
--format json \
--output "trivy-results/${safe}.json" \
"$file" || true
done < dep-changed-files.txt
- name: Run Reviewdog
if: steps.depfilter.outputs.has_deps == 'true'
uses: reviewdog/action-trivy@v1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
trivy_command: fs
trivy_target: ./trivy-results
reporter: github-pr-review
level: error
fail_on_error: false