Skip to content

Commit

Permalink
Set Github format
Browse files Browse the repository at this point in the history
  • Loading branch information
@jaydrogers
jaydrogers committed Dec 11, 2024
1 parent 3f7e3d5 commit faa59e0
Showing 1 changed file with 11 additions and 7 deletions.
18 changes: 11 additions & 7 deletions .github/workflows/action_publish-images-security-updates.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,6 @@ jobs:
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
hide-progress: true

- name: Upload trivy report as a Github artifact
uses: actions/upload-artifact@v4
with:
name: trivy-sbom-report
path: '${{ github.workspace }}/trivy-results.json'
retention-days: 20

# Parse results to set has_vulnerabilities (for workflow control)
- if: inputs.skip_scan != true
Expand All @@ -52,12 +45,23 @@ jobs:
VULN_COUNT=$(jq -r '.vulnerabilities | length // 0' trivy-results.json)
if [ "${VULN_COUNT:-0}" -gt 0 ]; then
echo "has_vulnerabilities=true" >> "$GITHUB_OUTPUT"
# Create native GitHub annotations for vulnerabilities
echo "# Security Vulnerabilities Found" >> $GITHUB_STEP_SUMMARY
echo "| Severity | Package | Installed Version | Vulnerability ID | Description |" >> $GITHUB_STEP_SUMMARY
echo "|----------|---------|-------------------|------------------|-------------|" >> $GITHUB_STEP_SUMMARY
jq -r '.vulnerabilities[] | "| \(.severity) | \(.pkgName) | \(.installedVersion) | \(.vulnerabilityID) | \(.title) |"' trivy-results.json >> $GITHUB_STEP_SUMMARY
echo "::notice::Found ${VULN_COUNT} security vulnerabilities that need to be addressed."
else
echo "has_vulnerabilities=false" >> "$GITHUB_OUTPUT"
echo "No vulnerabilities found." >> $GITHUB_STEP_SUMMARY
fi
else
echo "Error: trivy-results.json not found"
echo "has_vulnerabilities=false" >> "$GITHUB_OUTPUT"
echo "::error::trivy-results.json not found"
exit 1
fi
Expand Down

0 comments on commit faa59e0

Please sign in to comment.