feat(oauth): implement figma provider integration #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Security Scan | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize, reopened] | |
| jobs: | |
| scan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| fetch-depth: 0 | |
| submodules: 'recursive' | |
| - name: Build the Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: false | |
| load: true | |
| tags: pr_image:${{ github.sha }} | |
| - name: Run Trivy vulnerability scanner on image | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: 'pr_image:${{ github.sha }}' | |
| format: 'json' | |
| output: 'trivy-image-results.json' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Run Trivy vulnerability scanner on source code | |
| uses: aquasecurity/[email protected] | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'json' | |
| output: 'trivy-fs-results.json' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Process Trivy scan results | |
| id: process-results | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| let commentBody = '## Security Scan Results for PR\n\n'; | |
| function processResults(results, title) { | |
| let sectionBody = `### ${title}\n\n`; | |
| if (results.Results && results.Results.some(result => result.Vulnerabilities && result.Vulnerabilities.length > 0)) { | |
| sectionBody += '| Package | Version | Vulnerability | Severity |\n'; | |
| sectionBody += '|---------|---------|----------------|----------|\n'; | |
| const uniqueVulns = new Set(); | |
| results.Results.forEach(result => { | |
| if (result.Vulnerabilities) { | |
| result.Vulnerabilities.forEach(vuln => { | |
| const vulnKey = `${vuln.PkgName}-${vuln.InstalledVersion}-${vuln.VulnerabilityID}`; | |
| if (!uniqueVulns.has(vulnKey)) { | |
| uniqueVulns.add(vulnKey); | |
| sectionBody += `| ${vuln.PkgName} | ${vuln.InstalledVersion} | [${vuln.VulnerabilityID}](https://nvd.nist.gov/vuln/detail/${vuln.VulnerabilityID}) | ${vuln.Severity} |\n`; | |
| } | |
| }); | |
| } | |
| }); | |
| } else { | |
| sectionBody += '🎉 No vulnerabilities found!\n'; | |
| } | |
| return sectionBody; | |
| } | |
| try { | |
| const imageResults = JSON.parse(fs.readFileSync('trivy-image-results.json', 'utf8')); | |
| const fsResults = JSON.parse(fs.readFileSync('trivy-fs-results.json', 'utf8')); | |
| commentBody += processResults(imageResults, "Docker Image Scan Results"); | |
| commentBody += '\n'; | |
| commentBody += processResults(fsResults, "Source Code Scan Results"); | |
| } catch (error) { | |
| commentBody += `There was an error while running the security scan: ${error.message}\n`; | |
| commentBody += 'Please contact the core team for assistance.'; | |
| } | |
| core.setOutput('comment-body', commentBody); | |
| - name: Find Comment | |
| uses: peter-evans/find-comment@v3 | |
| id: fc | |
| with: | |
| issue-number: ${{ github.event.pull_request.number }} | |
| comment-author: 'github-actions[bot]' | |
| body-includes: Security Scan Results for PR | |
| - name: Create or update comment | |
| uses: peter-evans/create-or-update-comment@v3 | |
| with: | |
| issue-number: ${{ github.event.pull_request.number }} | |
| comment-id: ${{ steps.fc.outputs.comment-id }} | |
| body: ${{ steps.process-results.outputs.comment-body }} | |
| edit-mode: replace |