7878 echo "Code review placeholder"
7979 echo "Future implementation: AI-powered review for architecture, security, and best practices"
8080
81+ scan :
82+ if : github.event.pull_request.state == 'open' && github.event.pull_request.draft == false
83+ runs-on : ubuntu-latest
84+ steps :
85+ - name : Checkout code
86+ uses : actions/checkout@v4
87+
88+ - name : Extract branch name
89+ id : extract_branch
90+ run : |
91+ BRANCH_NAME=$(echo ${{ github.event.pull_request.head.ref }} | sed -e 's/^refs\/heads\///g')
92+ BRANCH_HASH=$(sha1sum < <(printf '%s' $BRANCH_NAME) | cut -c -15)
93+ echo "branch_hash=$(echo $BRANCH_HASH)" >> $GITHUB_OUTPUT
94+
95+ name : Get changes
96+ id : changes
97+ run : |
98+ git fetch origin ${{ github.event.pull_request.base.ref }} --depth=1
99+ CHANGED_FILES=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }} HEAD)
100+ for file in $CHANGED_FILES; do
101+ if [[ -f "$file" ]]; then
102+ mkdir -p "changed_files/$(dirname "$file")"
103+ cp "$file" "changed_files/$file"
104+ fi
105+ done
106+ echo $CHANGED_FILES
107+ ls changed_files/
108+ echo "changed_files=$(echo $CHANGED_FILES)" >> $GITHUB_OUTPUT
109+
110+ name : Run Trivy scan on changed files
111+ id : trivy
112+ if : steps.changes.outputs.changed_files != ''
113+ uses :
aquasecurity/[email protected] 114+ continue-on-error : true
115+ with :
116+ scan-type : ' filesystem'
117+ scan-ref : ' ./changed_files'
118+ format : ' template'
119+ template : ' @fs-markdown.tpl'
120+ output : ' trivy-report.md'
121+ severity : ' HIGH,CRITICAL'
122+ ignore-unfixed : true
123+ trivyignores : " .trivyignore"
124+ exit-code : 1
125+
126+ - name : Comment PR with audit results
127+ uses : peter-evans/create-or-update-comment@v4
128+ if : steps.trivy.outcome == 'failure'
129+ with :
130+ token : ${{ secrets.TRIVY_SCAN_TOKEN }}
131+ issue-number : ${{ github.event.pull_request.number }}
132+ body-path : trivy-report.md
133+
134+ - name : Build Docker image for scanning
135+ run : |
136+ docker build -t flask-react-app:${{ steps.extract_branch.outputs.branch_hash }} .
137+
138+ name : Run Trivy scan on docker images
139+ id : trivy_docker
140+ uses :
aquasecurity/[email protected] 141+ continue-on-error : true
142+ with :
143+ scan-type : ' image'
144+ image-ref : ' flask-react-app:${{ steps.extract_branch.outputs.branch_hash }}'
145+ format : ' template'
146+ template : ' @docker-markdown.tpl'
147+ output : ' trivy-docker-report.md'
148+ severity : ' HIGH,CRITICAL'
149+ ignore-unfixed : true
150+ trivyignores : " .trivyignore"
151+ exit-code : 1
152+
153+ - name : Comment PR with audit results
154+ uses : peter-evans/create-or-update-comment@v4
155+ if : steps.trivy_docker.outcome == 'failure'
156+ with :
157+ token : ${{ secrets.TRIVY_SCAN_TOKEN }}
158+ issue-number : ${{ github.event.pull_request.number }}
159+ body-path : trivy-docker-report.md
160+
161+ - name : Fail job if Trivy found issues
162+ if : steps.trivy.outcome == 'failure' || steps.trivy_docker.outcome == 'failure'
163+ run : |
164+ echo "❌ Trivy found vulnerabilities — failing the job."
165+ exit 1
166+
81167test :
82168 if : github.event.pull_request.state == 'open' && github.event.pull_request.draft == false
83169 runs-on : ubuntu-latest
@@ -107,4 +193,4 @@ jobs:
107193 uses : marocchino/sticky-pull-request-comment@v2
108194 with :
109195 recreate : true
110- path : code-coverage-results.md
196+ path : code-coverage-results.md
0 commit comments