From 29d7220105dd55a3b1abaa1fd3925ee1fd8eb2fa Mon Sep 17 00:00:00 2001
From: jiangpengcheng <scjiangpengcheng@gmail.com>
Date: Tue, 14 May 2024 14:40:32 +0800
Subject: [PATCH] Print scan output to PR

---
 .github/workflows/trivy.yml | 71 +++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 0ef79cb9..914f6958 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -66,44 +66,115 @@ jobs:
           PULSAR_IMAGE_TAG=3.2.2.5 PULSAR_IMAGE=streamnative/sn-platform KIND_PUSH=false images/build.sh
 
       - name: Run Trivy vulnerability scanner for java
+        id: scan-java-runner
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'pulsar-functions-java-runner:latest'
           format: 'table'
           exit-code: '0'
+          output: '${{ github.workspace }}/scan-java-runner_output.txt'
 
       - name: Run Trivy vulnerability scanner for python
+        id: scan-python-runner
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'pulsar-functions-python-runner:latest'
           format: 'table'
           exit-code: '0'
+          output: '${{ github.workspace }}/scan-python-runner_output.txt'
 
       - name: Run Trivy vulnerability scanner for go
+        id: scan-go-runner
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'pulsar-functions-go-runner:latest'
           format: 'table'
           exit-code: '0'
+          output: '${{ github.workspace }}/scan-go-runner_output.txt'
 
       - name: Run Trivy vulnerability scanner for java with pulsarctl
+        id: scan-java-pulsarctl-runner
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'pulsar-functions-pulsarctl-java-runner:latest'
           format: 'table'
           exit-code: '0'
+          output: '${{ github.workspace }}/scan-java-pulsarctl-runner_output.txt'
 
       - name: Run Trivy vulnerability scanner for python with pulsarctl
+        id: scan-python-pulsarctl-runner
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'pulsar-functions-pulsarctl-python-runner:latest'
           format: 'table'
           exit-code: '0'
+          output: '${{ github.workspace }}/scan-python-pulsarctl-runner_output.txt'
 
       - name: Run Trivy vulnerability scanner for go with pulsarctl
+        id: scan-go-pulsarctl-runner
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'pulsar-functions-pulsarctl-go-runner:latest'
           format: 'table'
           exit-code: '0'
+          output: '${{ github.workspace }}/scan-go-pulsarctl-runner_output.txt'
+
+      # Comment on PR with the scan output since the action won't fail with CVEs
+      - name: Comment on PR
+        uses: actions/github-script@v5
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const uniqueIdentifier = '#Runner Images Scan Result:';
+            
+            // Function to get output from a file
+            function getOutput(stepId) {
+              const outputFile = path.join(process.env.GITHUB_WORKSPACE, `${stepId}_output.txt`);
+              if (fs.existsSync(outputFile)) {
+                return fs.readFileSync(outputFile, 'utf8');
+              }
+              return ''; // Return empty string if file does not exist
+            }
+            
+            // Combine outputs from different steps
+            const outputs = [
+              { label: 'Java Runner', output: getOutput('scan-java-runner') },
+              { label: 'Python Runner', output: getOutput('scan-python-runner') },
+              { label: 'Go Runner', output: getOutput('scan-go-runner') },
+              { label: 'Java Runner with Pulsarctl', output: getOutput('scan-java-pulsarctl-runner') },
+              { label: 'Python Runner with Pulsarctl', output: getOutput('scan-python-pulsarctl-runner') },
+              { label: 'Go Runner with Pulsarctl', output: getOutput('scan-go-pulsarctl-runner') },
+            ].filter(item => item.output !== '');
+            
+            // Format the combined message
+            let combinedMessage = outputs.map(item => `**${item.label} Vulnerabilities:**\n\`\`\`\n${item.output}\n\`\`\``).join('\n\n');
+            combinedMessage = `${uniqueIdentifier}\n\n` + combinedMessage; // Add unique identifier to the message
+
+            const issue_number = context.issue.number;
+            const octokit = github.getOctokit(process.env.GITHUB_TOKEN);
+            const { data: comments } = await octokit.rest.issues.listComments({
+              ...context.repo,
+              issue_number: issue_number,
+            });
+            
+            // Find existing comment
+            const existingComment = comments.find(comment => comment.body.includes(uniqueIdentifier));
+
+            // Update or create comment
+            if (existingComment) {
+              await octokit.rest.issues.updateComment({
+                ...context.repo,
+                comment_id: existingComment.id,
+                body: combinedMessage
+              });
+            } else {
+              await octokit.rest.issues.createComment({
+                ...context.repo,
+                issue_number: issue_number,
+                body: combinedMessage
+              });
+            }
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}