Trivy test

.github/workflows/gradle.yml

@@ -1,21 +1,21 @@
 name: PR Test & Analysis
 
 on:
-  push:
+  pull_request:
+    types: [ opened, reopened, synchronize ]
     branches:
       - main
       - dev
-#env:
-#  SLACK_VULNERABILITY_WEBHOOK_URL: ${{secrets.SLACK_VULNERABILITY_WEBHOOK_URL}}
-#  SLACK_PR_NOTIFICATION_WEBHOOK_URL: ${{secret.SLACK_PR_NOTIFICATION_WEBHOOK_URL}}
 
 concurrency:
-  group: ci-pr-${{ github.head_ref }}
+  group: ci-pr-${{ github.base_ref }}
   cancel-in-progress: true
 
 jobs:
   fetch-and-diff:
     runs-on: ubuntu-latest
+    env:
+      MODULES: demo demo1
 
     outputs:
       modified_modules: ${{ steps.determine_modules.outputs.modules }}
@@ -26,19 +26,18 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Set Modules
-        run: |
-          echo "MODULES=demo demo1" >> $GITHUB_ENV
-
-      - name: Fetch Base Branch
-        run: git fetch origin +refs/heads/${{ github.ref_name }}:refs/remotes/origin/${{ github.ref_name }}
-
       - name: Get Modified Files
         run: |
-          MODIFIED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }}  | tr '\n' ' ')
+          MODIFIED_FILES=$(git diff --name-only origin/${{ github.head_ref }} origin/${{ github.base_ref }}  | tr '\n' ' ')
           echo $MODIFIED_FILES
           echo "MODIFIED_FILES=$MODIFIED_FILES" >> $GITHUB_ENV
 
+      - name: Fetch Base Branch
+        run: |
+          echo "From : ${{ github.head_ref }}"
+          echo "To : ${{ github.base_ref }}"
+          git fetch origin +refs/heads/${{ github.head_ref }}:refs/remotes/origin/${{ github.base_ref }}
+
       - name: Determine Modified Modules
         id: determine_modules
         run: |
@@ -85,31 +84,55 @@ jobs:
           MODULES=$(echo "$RAW_MODULES" | sed 's/\[//g; s/\]//g')
           IFS=',' read -ra MODIFIED_MODULES <<< "$MODULES"
           for MODULE in "${MODIFIED_MODULES[@]}"; do
-            docker build -f ${MODULE}/Dockerfile -t jerryworld/${MODULE}-${{ github.ref_name }}:${{ github.sha }} .
-            docker push jerryworld/${MODULE}-${{ github.ref_name }}:${{ github.sha }}
+            docker build -f ${MODULE}/Dockerfile -t jerryworld/${MODULE}-${{ github.base_ref }}:${{ github.sha }} .
+            docker push jerryworld/${MODULE}-${{ github.base_ref }}:${{ github.sha }}
           done
   scan:
-#    needs: fetch-and-diff
+    needs: fetch-and-diff
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        module: ${{ fromJSON(needs.fetch-and-diff.outputs.modified_modules) }}
     steps:
-      - name: Set Modules
-        run: |
-          echo "MODULES=demo demo1" >> $GITHUB_ENV
       - name: Install Trivy
         run: |
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
       - name: Run Trivy vulnerability scanner
         run: |
-          for module in ${{ env.MODULES }}; do
-            echo ${module}
-            trivy image \ 
-              --ignore-unfixed \
-              --severity CRITICAL,HIGH \
-              --format sarif --output trivy-results_${module}.sarif \
-              jerryworld/${module}-${{ github.ref_name }}:${{ github.sha }} 
-          done
-
-
+          echo "CHECK Target : ${{ matrix.module }}"
+          MODULE=${{ matrix.module }}
+          trivy image \
+          --format table \
+          --ignore-unfixed \
+          --vuln-type  os,library \
+          --severity  CRITICAL,HIGH,MEDIUM \
+          --output ${MODULE}_trivy-results.sarif \
+          jerryworld/${{ matrix.module }}-${{ github.base_ref }}:${{ github.sha }}
+      - name: check sarif
+        id: save_sarif
+        run: |
+          ls -al
+          MODULE=${{ matrix.module }}
+          DATA=$(cat ${MODULE}_trivy-results.sarif)
+          echo -e "trivy-results<<EOF" >> $GITHUB_OUTPUT
+          echo -e "$DATA" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+      - name: Add comment
+        uses: actions/github-script@v6
+        env:
+          TRIVY_RESULTS: ${{ steps.save_sarif.outputs.trivy-results }}
+        with:
+          github-token: ${{ secrets.GIT_TOKEN }}
+          script: |
+            const { owner, repo } = context.repo;
+            const pr_number = context.payload.pull_request.number;
+
+            github.rest.issues.createComment({
+              owner: owner,
+              repo: repo,
+              issue_number: pr_number,
+              body: process.env.TRIVY_RESULTS
+            });
   push-manifest:
     name: Push Manifest
     needs: fetch-and-diff
@@ -131,13 +154,16 @@ jobs:
           git config --global user.name "jerry-world"
 
           echo "UPDATE Target : ${{ matrix.module }}"
-          IFS=' ' read -r -a MODIFIED_MODULES <<< "${{ matrix.module }}"
-          for MODULE in "${MODIFIED_MODULES[@]}"; do
-            cd apps/${MODULE}/overlay/${{ github.ref_name }}
-            after_sha="${{ github.sha }}"
-            echo "this revision : ${after_sha}"
-            sed -i "s|\(image:[[:space:]]*[^:]*:\)[^[:space:]]*$|\1${after_sha}|g" ${MODULE}-deployment-patch.yaml
-            git add -A
-            git commit -m "update manifest demo"
-          done
-          git push
+          MODULE=${{ matrix.module }}
+          cd apps/${MODULE}/overlay/${{ github.base_ref }}
+          after_sha="${{ github.sha }}"
+          echo "this revision : ${after_sha}"
+          sed -i "s|\(image:[[:space:]]*[^:]*:\)[^[:space:]]*$|\1${after_sha}|g" ${MODULE}-deployment-patch.yaml
+          git add -A
+          git commit -m "update manifest demo"
+          git push
+
+
+#env:
+#  SLACK_VULNERABILITY_WEBHOOK_URL: ${{secrets.SLACK_VULNERABILITY_WEBHOOK_URL}}
+#  SLACK_PR_NOTIFICATION_WEBHOOK_URL: ${{secret.SLACK_PR_NOTIFICATION_WEBHOOK_URL}}

demo/build.gradle

@@ -27,25 +27,13 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter'
     implementation 'org.springframework.boot:spring-boot-starter-web'
     implementation 'org.springframework.boot:spring-boot-starter-webflux'
-    implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
     implementation 'org.springframework.boot:spring-boot-starter-validation'
     implementation 'org.springframework.cloud:spring-cloud-starter'
-    implementation 'org.springframework.cloud:spring-cloud-starter-config'
     implementation 'org.springframework.boot:spring-boot-starter-actuator'
 
     // KMS
     implementation 'com.github.ulisesbocchio:jasypt-spring-boot-starter:3.0.5'
 
-    // Jpa - JSON
-    implementation 'io.hypersistence:hypersistence-utils-hibernate-63:3.7.6'
-
-    // queryDSL
-    implementation 'com.querydsl:querydsl-jpa:5.1.0:jakarta'
-    implementation 'com.querydsl:querydsl-sql-spatial:5.1.0'
-    annotationProcessor "com.querydsl:querydsl-apt:5.1.0:jakarta"
-    annotationProcessor "jakarta.annotation:jakarta.annotation-api"
-    annotationProcessor "jakarta.persistence:jakarta.persistence-api"
-
     // Swagger
     implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.5.0'
 

demo/src/main/java/com/example/demo/DemoApplication.java

@@ -9,5 +9,5 @@ public class DemoApplication {
     public static void main(String[] args) {
         SpringApplication.run(DemoApplication.class, args);
     }
-    //수정테스트3 - DIFF
+    //수정테스트3 - DIFF12
 }

demo/src/main/java/com/example/demo/home/HomeController.java

@@ -11,7 +11,7 @@ public class HomeController {
     @RequestMapping(value = "/home")
     public String home() {
         System.out.println("home Check");
-        System.out.println("Trivy 테스트");
+        System.out.println("Trivy 테스트12");
         return "Welcome home";
     }
 }

demo1/src/main/java/com/example/demo/home1/Home1Controller.java

@@ -9,7 +9,7 @@
 public class Home1Controller {
     @GetMapping
     public String home1(){
-        System.out.println("home1");
+        System.out.println("home1_12");
         return "home1";
     }
 }