Merge pull request #18 from grafana/trivy-diff

KristianGrafana · web-flow · commit ae330403c3a5 · 2025-03-21T13:51:25.000+01:00
Add Trivy diff
diff --git a/trivy/README.md b/trivy/README.md
@@ -0,0 +1,36 @@
+### Trivy Diff
+
+Use this as a reusable workflow like:
+
+```
+name: Trivy-diff
+
+on:
+  pull_request:
+    types: [synchronize, opened, reopened]
+    paths:
+      # Python
+      - '**/Pipfile.lock'
+      - '**/poetry.lock'
+      - '**/requirements.txt'
+      # PHP
+      - '**/composer.lock'
+      # Node.js
+      - '**/package-lock.json'
+      - '**/yarn.lock'
+      - '**/package.json'
+      # Go
+      - '**/go.sum'  
+jobs:
+  trivy-scan:
+    runs-on: ubuntu-latest
+    
+    steps:
+      # Use the Trivy Diff reusable workflow
+      - uses: grafana/security-github-actions/trivy/@trivy-diff
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          severities: "CRITICAL,HIGH"
+```
+
+Then this workflow will only be ran on PRs and only if a manifest file has been modified. 
diff --git a/trivy/action.yml b/trivy/action.yml
@@ -0,0 +1,82 @@
+name: Trivy diff
+description: Compare Trivy scan results between two branches
+inputs:
+  github-token:
+    description: "GitHub token for posting the comment"
+    required: true
+  severities:
+    description: "Comma-separated list of severity levels to consider (e.g., CRITICAL,HIGH,MEDIUM,LOW)"
+    required: false
+    default: "CRITICAL,HIGH"
+    
+runs:
+  using: "composite"
+  steps:
+    - name: "Checkout Repository"
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+      with:
+        fetch-depth: 0
+    
+    - name: "Checkout Target Branch"
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+      with:
+        ref: ${{ github.base_ref }}
+    
+    - name: "Scan Target Branch"
+      uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
+      with:
+        scan-type: "fs"
+        scanners: vuln
+        timeout: 30s
+        ignore-unfixed: true	
+        version: v0.58.0
+        hide-progress: true
+        output: base_trivy_report.json
+        format: json
+        scan-ref: .
+        severity: ${{ inputs.severities }}
+    
+    - name: Checkout current commit
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+      with:
+        ref: ${{ github.sha }}
+        clean: false
+    
+    - name: "Scan Current Branch"
+      uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
+      with:
+        scan-type: "fs"
+        scanners: vuln
+        timeout: 30s
+        ignore-unfixed: true	
+        version: v0.58.0
+        hide-progress: true
+        output: main_trivy_report.json
+        format: json
+        scan-ref: .
+        severity: ${{ inputs.severities }}
+        skip-setup-trivy: true
+      env:
+        TRIVY_SKIP_DB_UPDATE: true
+        TRIVY_SKIP_JAVA_DB_UPDATE: true
+        
+    - name: "Run Trivy Diff"
+      id: trivy-diff
+      run: |
+        node $GITHUB_ACTION_PATH/trivy-diff.js base_trivy_report.json main_trivy_report.json > output.txt
+      shell: bash
+    
+    - name: "Comment the Trivy diff"
+      env:
+        GITHUB_TOKEN: ${{ inputs.github-token }}
+        BRANCH_NAME: ${{ github.head_ref || github.ref_name }} 
+      run: |
+        output=$(cat output.txt)
+        if [ "$output" == "No new vulnerabilities found." ]; then
+          echo "No new vulnerabilities found."
+          exit 0
+        else
+          comment=$(echo -e "### New vulnerabilities introduced in branch $BRANCH_NAME compared to ${{ github.base_ref }}\n\n" ; jq -r '.[] | "* \(.VulnerabilityID), Severity: \(.Severity), Package: \(.PkgName), Installed: \(.InstalledVersion), Fixed: \(.FixedVersion // "N/A")"' output.txt)
+          gh pr comment ${{ github.event.pull_request.number }} --body "$comment"
+        fi
+      shell: bash
diff --git a/trivy/trivy-diff.js b/trivy/trivy-diff.js
@@ -0,0 +1,80 @@
+const fs = require('fs');
+
+// Vulnerability data structure
+class Vulnerability {
+    constructor(VulnerabilityID, PkgName, InstalledVersion, FixedVersion = "", Severity) {
+        this.VulnerabilityID = VulnerabilityID;
+        this.PkgName = PkgName;
+        this.InstalledVersion = InstalledVersion;
+        this.FixedVersion = FixedVersion;
+        this.Severity = Severity;
+    }
+}
+
+// Parse Trivy JSON output
+function parseTrivyOutput(file) {
+    try {
+        const data = fs.readFileSync(file, 'utf8');
+        return JSON.parse(data);
+    } catch (err) {
+        console.error(`Error reading file ${file}: ${err.message}`);
+        process.exit(1);
+    }
+}
+
+// Extract vulnerabilities into a map
+function extractVulnerabilities(result) {
+    const vulns = {};
+    result.Results.forEach(res => {
+        if (res.Vulnerabilities && Array.isArray(res.Vulnerabilities)) {
+            res.Vulnerabilities.forEach(vuln => {
+                const vulnKey = `${vuln.VulnerabilityID}-${vuln.PkgName}`;
+                vulns[vulnKey] = new Vulnerability(vuln.VulnerabilityID, vuln.PkgName, vuln.InstalledVersion, vuln.FixedVersion, vuln.Severity);
+            });
+        }
+    });
+    return vulns;
+}
+
+// Compare vulnerabilities and return new vulnerabilities in the test file
+function compareVulnerabilities(testVulns, mainVulns) {
+    const newVulns = [];
+    for (const key in testVulns) {
+        if (!mainVulns[key]) {
+            newVulns.push(testVulns[key]);
+        }
+    }
+    return newVulns;
+}
+
+// Main function
+function main() {
+    if (process.argv.length < 4) {
+        console.log("Usage: node trivy-diff.js <file_1> <file_2>");
+        process.exit(1);
+    }
+
+    const file1 = process.argv[2];
+    const file2 = process.argv[3];
+
+    // Parse the Trivy scan results
+    const mainResult = parseTrivyOutput(file1);
+    const testResult = parseTrivyOutput(file2);
+
+    // Extract vulnerabilities
+    const mainVulns = extractVulnerabilities(mainResult);
+    const testVulns = extractVulnerabilities(testResult);
+
+    // Compare vulnerabilities
+    const newVulns = compareVulnerabilities(testVulns, mainVulns);
+
+    // Output new vulnerabilities as JSON
+    if (newVulns.length === 0) {
+        console.log("No new vulnerabilities found.");
+    } else {
+        console.log(JSON.stringify(newVulns, null, 2));
+    }
+}
+
+// Run the main function
+main();
