Skip to content

fylein/vulnerability-scan-action

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
.github
.github
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 

Repository files navigation

Vulnerability Scan Action

This GitHub Action scans your repository for security vulnerabilities using Trivy, providing detailed scan results as PR comments.

Features

  • 🔍 Comprehensive vulnerability scanning of your codebase
  • 📊 Detailed vulnerability reports as PR comments
  • 🚫 Automatic PR blocking for Critical/High severity vulnerabilities
  • 📝 Organized vulnerability reporting by severity and package
  • 🔄 Support for repositories with submodules

Usage

Add the following workflow to your repository (e.g., .github/workflows/security-scan.yml):

name: Security Scan

on:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Run Vulnerability Scanner
        uses: fylein/vulnerability-scan-action@master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

Inputs

Input Description Required Default
github_token GitHub token for creating PR comments Yes N/A
is_submodule Whether to checkout submodules No false
trivy_version Version of Trivy to use No v0.48.1

Examples

Basic Usage

- name: Run Security Scan
  uses: fylein/vulnerability-scan-action@master
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}

Repository with Submodules

- name: Run Security Scan with Submodules
  uses: fylein/vulnerability-scan-action@master
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}
    is_submodule: true

Output

The action provides:

  1. A detailed PR comment containing:

    • Total vulnerability count
    • Breakdown by severity (Critical, High, Medium, Low, Unknown)
    • Detailed information for each vulnerability, grouped by package
    • Remediation suggestions

  2. Automatic PR blocking if Critical/High severity vulnerabilities are found

Example PR comment:

🔍 Security Scan Results

⛔️ Action Required: 3 Critical/High severity vulnerabilities found

Found 3 total vulnerabilities

Path VulnerabilityID PackageName Severity InstalledVersion FixedVersion
requirements.txt CVE-2023-31047 Django 🔴 CRITICAL 3.2.14 3.2.19, 4.1.9, 4.2.1
requirements.txt CVE-2022-36359 Django 🟠 HIGH 3.2.14 3.2.15, 4.0.7
requirements.txt CVE-2022-41323 Django 🟠 HIGH 3.2.14 3.2.16, 4.0.8, 4.1.2

Remediation

⚠️ Action Required: Critical/High severity vulnerabilities must be fixed before merging

  • Update vulnerable packages to their fixed versions where available
  • Run `trivy fs --scanners vuln .` locally to see more details

Behavior

  • The action will fail if any Critical or High severity vulnerabilities are found
  • Vulnerabilities are grouped by severity and package for easy review
  • Each vulnerability includes:
    • Vulnerability ID
    • Current and fixed versions
    • Brief description
    • Package information
    • Severity level

Local Testing

To run the same scan locally:

  1. Install Trivy:
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
  1. Run the scan:
trivy fs --scanners vuln .

License

MIT License

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

7 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Contributors 2

  •  
  •