generate trivy message from json

grafana · Oct 31, 2023 · 9095027 · 9095027
1 parent 75c1e32
commit 9095027
Showing 1 changed file with 19 additions and 8 deletions.
diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
@@ -1,4 +1,4 @@
-name: Run vulnerability scans and comment on PR
+name: PR Vulnerability Scan
 on: pull_request
 
 permissions:
@@ -10,7 +10,8 @@ jobs:
     name: Snyk Scan
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
+      - name: Checkout code
+        uses: actions/checkout@master
       - name: Run Snyk to check for vulnerabilities
         uses: snyk/actions/golang@master
         continue-on-error: true # To make sure that PR comment is made
@@ -19,7 +20,7 @@ jobs:
         with:
           command: test
           args: --severity-threshold=high > snyk-results.txt
-      - name: Add Snyk scan results to PR
+      - name: Comment on PR with Snyk scan results
         uses: mshick/add-pr-comment@v2
         with:
           message-path: snyk-results.txt
@@ -30,7 +31,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: Build an image from Dockerfile
+      - name: Build Loki Image
         run: |
           IMAGE_TAG="$(./tools/image-tag)"
           make loki-image
@@ -40,10 +41,20 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: "docker.io/grafana/loki:${{ env.IMAGE_TAG }}"
-          format: "table"
-          output: "trivy-results.txt"
+          format: "json"
+          output: "trivy.json"
+
+      - name: Generate Message
+        uses: sergeysova/jq-action@v2
+        id: trivy-message
+        with:
+          cmd: jq -r '.Results[] | .Vulnerabilities[] | "* \(.Severity) [\(.Title)](\(.PrimaryURL)) in \(.PkgName) v\(.InstalledVersion). Fixed in v\(.FixedVersion)"' trivy.json
+          multiline: true
 
-      - name: Add Trivy scan results to PR
+      - name: Comment on PR with Trivy scan results
         uses: mshick/add-pr-comment@v2
         with:
-          message-path: trivy-results.txt
+          message: |
+            Trivy scan found the following vulernbilities:
+
+            ${{ steps.trivy-message.outputs.value }}