name: Run Vulnerability Data Script with Parameters and Update PR on: workflow_dispatch: inputs: image_name: description: 'Docker image name to scan' required: true default: 'appsmith/appsmith-ce:release' jobs: run-and-update-pr: runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v3 - name: Set up Node.js uses: actions/setup-node@v3 with: node-version: '20' - name: Login to DockerHub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: Install pg run: npm install pg - name: Fetch vulnerability data id: vulnerability_data env: DB_HOST: ${{ secrets.CYPRESS_DB_HOST }} DB_NAME: ${{ secrets.CYPRESS_DB_NAME }} DB_USER: ${{ secrets.CYPRESS_DB_USER }} DB_PWD: ${{ secrets.CYPRESS_DB_PWD }} uses: actions/github-script@v7 with: script: | const { Pool } = require("pg"); const fs = require('fs'); const path = require('path'); const { DB_HOST, DB_NAME, DB_USER, DB_PWD } = process.env; const pool = new Pool({ user: DB_USER, host: DB_HOST, database: DB_NAME, password: DB_PWD, port: 5432, connectionTimeoutMillis: 60000, }); (async () => { const client = await pool.connect(); try { // Fetch vurn_id, product, scanner_tool, and priority from the database const result = await client.query(`SELECT vurn_id, product, scanner_tool, priority FROM vulnerability_tracking`); console.log('Vulnerability Data:', result.rows); // Extract relevant fields from the result const extractedData = result.rows.map(({ vurn_id, product, scanner_tool, priority }) => ({ vurn_id, product, scanner_tool, priority })); console.log('Extracted Vulnerability Data:', extractedData); // Prepare CSV content const csvContent = [ ['vurn_id', 'product', 'scanner_tool', 'priority'], // Add priority column header ...extractedData.map(row => [row.vurn_id, row.product, row.scanner_tool, row.priority]) ] .map(e => e.join(',')) // Join columns .join('\n'); // Join rows // Write to CSV file in workspace const csvFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.csv'); fs.writeFileSync(csvFilePath, csvContent); console.log(`Data successfully written to ${csvFilePath}`); // Prepare TXT content const txtContent = extractedData .map(row => `vurn_id: ${row.vurn_id}, product: ${row.product}, scanner_tool: ${row.scanner_tool}, priority: ${row.priority}`) .join('\n'); // Join rows // Write to TXT file in workspace const txtFilePath = path.join(process.env.GITHUB_WORKSPACE, 'vulnerability_base_data.txt'); fs.writeFileSync(txtFilePath, txtContent); console.log(`Data successfully written to ${txtFilePath}`); client.release(); return extractedData; // Return the extracted data } catch (err) { console.error('Error fetching vulnerability data:', err); client.release(); } })(); - name: Upload Vulnerability Data uses: actions/upload-artifact@v3 with: name: vulnerability-data path: | vulnerability_base_data.csv vulnerability_base_data.txt # Run Scout vulnerability data script - name: Run Scout vulnerability data script if: always() env: DB_HOST: ${{ secrets.CYPRESS_DB_HOST }} DB_NAME: ${{ secrets.CYPRESS_DB_NAME }} DB_USER: ${{ secrets.CYPRESS_DB_USER }} DB_PWD: ${{ secrets.CYPRESS_DB_PWD }} run: | chmod +x scripts/scout_vulnerabilities_data.sh ./scripts/scout_vulnerabilities_data.sh \ "${{ inputs.image_name }}" \ "${{ github.event.pull_request.number }}" \ "${{ github.event.pull_request.html_url }}" \ "${{ github.run_id }}" - name: Run Trivy vulnerability data script if: always() env: DB_HOST: ${{ secrets.CYPRESS_DB_HOST }} DB_NAME: ${{ secrets.CYPRESS_DB_NAME }} DB_USER: ${{ secrets.CYPRESS_DB_USER }} DB_PWD: ${{ secrets.CYPRESS_DB_PWD }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin chmod +x scripts/trivy_vulnerabilities_data.sh ./scripts/trivy_vulnerabilities_data.sh \ "${{ inputs.image_name }}" \ "${{ github.event.pull_request.number }}" \ "${{ github.event.pull_request.html_url }}" \ "${{ github.run_id }}"