Skip to content

Latest commit

 

History

History
124 lines (90 loc) · 3.41 KB

README.md

File metadata and controls

124 lines (90 loc) · 3.41 KB

Vulnerability Scan Action

This GitHub Action scans your repository for security vulnerabilities using Trivy, providing detailed scan results as PR comments.

Features

  • 🔍 Comprehensive vulnerability scanning of your codebase
  • 📊 Detailed vulnerability reports as PR comments
  • 🚫 Automatic PR blocking for Critical/High severity vulnerabilities
  • 📝 Organized vulnerability reporting by severity and package
  • 🔄 Support for repositories with submodules

Usage

Add the following workflow to your repository (e.g., .github/workflows/security-scan.yml):

name: Security Scan

on:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Run Vulnerability Scanner
        uses: fylein/vulnerability-scan-action@master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

Inputs

Input Description Required Default
github_token GitHub token for creating PR comments Yes N/A
is_submodule Whether to checkout submodules No false
trivy_version Version of Trivy to use No v0.48.1

Examples

Basic Usage

- name: Run Security Scan
  uses: fylein/vulnerability-scan-action@master
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}

Repository with Submodules

- name: Run Security Scan with Submodules
  uses: fylein/vulnerability-scan-action@master
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}
    is_submodule: true

Output

The action provides:

  1. A detailed PR comment containing:

    • Total vulnerability count
    • Breakdown by severity (Critical, High, Medium, Low, Unknown)
    • Detailed information for each vulnerability, grouped by package
    • Remediation suggestions

  2. Automatic PR blocking if Critical/High severity vulnerabilities are found

Example PR comment:

🔍 Security Scan Results

⛔️ Action Required: 3 Critical/High severity vulnerabilities found

Found 3 total vulnerabilities

Path VulnerabilityID PackageName Severity InstalledVersion FixedVersion
requirements.txt CVE-2023-31047 Django 🔴 CRITICAL 3.2.14 3.2.19, 4.1.9, 4.2.1
requirements.txt CVE-2022-36359 Django 🟠 HIGH 3.2.14 3.2.15, 4.0.7
requirements.txt CVE-2022-41323 Django 🟠 HIGH 3.2.14 3.2.16, 4.0.8, 4.1.2

Remediation

⚠️ Action Required: Critical/High severity vulnerabilities must be fixed before merging

  • Update vulnerable packages to their fixed versions where available
  • Run `trivy fs --scanners vuln .` locally to see more details

Behavior

  • The action will fail if any Critical or High severity vulnerabilities are found
  • Vulnerabilities are grouped by severity and package for easy review
  • Each vulnerability includes:
    • Vulnerability ID
    • Current and fixed versions
    • Brief description
    • Package information
    • Severity level

Local Testing

To run the same scan locally:

  1. Install Trivy:
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
  1. Run the scan:
trivy fs --scanners vuln .

License

MIT License