[Tool] CI Trivy Pipeline (#45976)

Signed-off-by: AndyZiYe <yeziyu@starrocks.com>
2024-06-25 15:22:18 +08:00 · 2024-06-25 15:22:18 +08:00 · 705d1fb27f
parent 8ffdb40153
commit 705d1fb27f
3 changed files with 55 additions and 5 deletions
--- a/.github/workflows/ci-merged-sonarcloud-fe.yml
+++ b/.github/workflows/ci-merged-sonarcloud-fe.yml
@ -35,14 +35,14 @@ jobs:
          distribution: 'adopt'

      - name: Cache SonarCloud packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar

      - name: Cache Maven packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: ~/.m2
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
--- a/.github/workflows/ci-pipeline-branch.yml
+++ b/.github/workflows/ci-pipeline-branch.yml
@ -382,14 +382,14 @@ jobs:
          distribution: 'adopt'

      - name: Cache SonarCloud packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
          restore-keys: ${{ runner.os }}-sonar

      - name: Cache Maven packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: ~/.m2
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
--- a/.github/workflows/ci-pipeline.yml
+++ b/.github/workflows/ci-pipeline.yml
@ -418,7 +418,7 @@ jobs:
          distribution: 'adopt'

      - name: Cache SonarCloud packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
@ -456,6 +456,56 @@ jobs:
          cd ${{ github.workspace }}/fe
          mvn -B -DskipTests verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=StarRocks_starrocks -Dsonar.pullrequest.key=${{ github.event.number }} -Dsonar.pullrequest.base=${{ github.base_ref }} -Dsonar.pullrequest.branch=${{ github.head_ref }}

+  trivy-fe-checker:
+    runs-on: [self-hosted, normal]
+    needs: fe-checker
+    if: needs.fe-checker.outputs.src_filter == 'true'
+    name: TRIVY CHECKER
+    env:
+      PR_NUMBER: ${{ github.event.number }}
+      CODE_PATH: ${{ github.workspace }}
+      BRANCH: ${{ github.base_ref }}
+      GH_TOKEN: ${{ github.token }}
+      REPORT_FILE: trivy-result-${{ github.event.number }}.txt
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Checkout PR
+        run: |
+          git config --global user.name "wanpengfei-git";
+          git config --global user.email "wanpengfei91@163.com";
+          git checkout $BRANCH;
+          git pull;
+          BRANCH_NAME="${BRANCH}-${PR_NUMBER}";
+          git fetch origin pull/${PR_NUMBER}/head:${BRANCH_NAME};
+          git checkout $BRANCH_NAME;
+          git checkout -b merge_pr;
+          git merge --squash --no-edit ${BRANCH} || (echo "Merge conflict, please check." && exit -1);
+
+      - name: Run
+        run: |
+          rm -rf /root/.cache/trivy
+          /var/local/env/trivy fs . --scanners vuln --vuln-type library --severity CRITICAL,HIGH \
+            --output ${REPORT_FILE}
+          cat ${REPORT_FILE}
+
+      - name: Publish Trivy Output to Summary
+        if: always()
+        run: |
+          if [[ -s ${REPORT_FILE} ]]; then
+            {
+              echo "### Security Output"
+              echo "<details><summary>Click to expand</summary>"
+              echo ""
+              echo '```terraform'
+              cat ${REPORT_FILE}
+              echo '```'
+              echo "</details>"
+            } >> $GITHUB_STEP_SUMMARY
+          fi
+
  fe-ut:
    runs-on: [self-hosted, normal]
    needs: [fe-codestyle-check]