Compare vulnerabilities between develop (base) and TASK-7908 (head) by @juanfeSanahuja #23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Compare vulnerabilities (Syft SBOM -> Grype) between two branches (robust) | |
| run-name: 'Compare vulnerabilities between ${{ inputs.branch_a }} (base) and ${{ inputs.branch_b }} (head) by @${{ github.actor }}' | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| branch_a: | |
| description: 'Base branch (e.g. develop)' | |
| required: true | |
| default: 'develop' | |
| branch_b: | |
| description: 'Head branch (e.g. TASK-1234)' | |
| required: true | |
| jobs: | |
| compare-branches: | |
| runs-on: ${{ vars.UBUNTU_VERSION }} | |
| steps: | |
| # 1) Checkout head branch only | |
| - name: Checkout head branch | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.inputs.branch_b }} | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| # 2) Ensure base branch exists locally (fetch) | |
| - name: Fetch base branch | |
| run: | | |
| git fetch origin ${{ github.event.inputs.branch_a }}:refs/remotes/origin/${{ github.event.inputs.branch_a }} | |
| # 3) Run the action | |
| - name: Vulnerability Diff (Syft+Grype) | |
| uses: sec-open/[email protected] | |
| with: | |
| base_ref: ${{ github.event.inputs.branch_a }} # pass 'develop' | |
| head_ref: ${{ github.event.inputs.branch_b }} # pass 'TASK-7908' | |
| # build_command: "" | |
| # write_summary: "true" | |
| # upload_artifact: "true" | |
| # artifact_name: "vulnerability-diff-${{ github.event.inputs.branch_a }}-vs-${{ github.event.inputs.branch_b }}" | |
| # report_html: "true" | |
| # report_pdf: "true" | |
| # min_severity: "LOW" | |
| # title_logo_url: "https://zettagenomics.com/wp-content/uploads/2022/10/Zetta-reversed-out-full-logo-dark-background.png" | |