Skip to content
Secrets Scan with Trivy

feat: botが作成したPullRequestではskipする #9

Sign in to view logs

feat: botが作成したPullRequestではskipする

feat: botが作成したPullRequestではskipする #9

Workflow file for this run

globis-org/org-secrets-scan/.github/workflows/secrets-scan.yaml at 6733759e891f45e40bf7e11da87f3f96820ea754
name: Secrets Scan with Trivy
on:
pull_request:
jobs:
filter:
runs-on: ubuntu-latest
outputs:
workdirs: ${{ steps.dirs.outputs.workdirs }}
steps:
- name: Checkout
uses: actions/[email protected]
with:
ref: ${{ github.head_ref }}
- name: Fetch PR base ref
run: |
git fetch --depth=1 origin ${{ github.base_ref }}:${{ github.base_ref }}
# 変更の入ったディレクトリのみ取得する
- name: Get changed directories
id: dirs
run: |
workdirs=$(git diff --name-only ${{ github.base_ref }} ${{ github.head_ref }} | xargs -I {} dirname {} | sort | uniq | jq -R -s -c 'split("\n")[:-1]')
echo "workdirs=$workdirs" >> $GITHUB_OUTPUT
scan:
needs: filter
runs-on: ubuntu-latest
strategy:
matrix:
workdir: ${{ fromJSON(needs.filter.outputs.workdirs) }}
steps:
- name: Checkout
uses: actions/[email protected]
with:
ref: ${{ github.head_ref }}
- name: Check if workdir exists
id: check
run: |
if [ -d "${{ matrix.workdir }}" ]; then
echo "exists=true" >> $GITHUB_OUTPUT
else
echo "exists=false" >> $GITHUB_OUTPUT
fi
- name: Run Aqua Security Trivy
uses: aquasecurity/[email protected]
with:
scan-type: fs
scan-ref: ${{ matrix.workdir }}
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL # default
scanners: secret
output: trivy.txt
exit-code: 1
if: steps.check.outputs.exists == 'true'
- name: Post PR comments
if: failure()
env:
GITHUB_TOKEN: ${{ github.token }}
URL: ${{ github.event.pull_request.html_url }}
run: |
sed -i -e '1i ```' -e '$a ```\nこのactionについては [Notion](https://www.notion.so/globisorg/GitHub-dcb884f8df2646df8d8e686bd6290d46) を参照。' trivy.txt
gh pr comment -F ./trivy.txt "${URL}"