ci: upload security scanning to GHCS

dvsa · Jul 11, 2024 · 03b17ac · 03b17ac
1 parent 4402e0b
commit 03b17ac
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -168,13 +168,18 @@ jobs:
           cache-from: type=gha
 
       - name: Scan
+        id: scan
         uses: aquasecurity/trivy-action@0.23.0
         with:
           image-ref: ${{ steps.build-and-push.outputs.imageid }}
-          # format: 'sarif'
-          # output: 'trivy-results.sarif'
-
-      # - name: Upload Trivy scan results to GitHub Code Scanning
-      #   uses: github/codeql-action/upload-sarif@v3
-      #   with:
-      #     sarif_file: 'trivy-results.sarif'
+          format: 'sarif'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Code Scanning
+        if: ${{ always() && !cancelled() && steps.scan.outcome == 'success' || steps.scan.outcome == 'failure' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'