upload sarif from trivy scan #616
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR enables publishing SARIF results from Trivy scans to the GitHub Security tab by correcting the workflow YAML and uncommenting the upload step.
- Fixed the schedule entry formatting in the workflow trigger
- Un-commented and aligned the
sarifinput for the Trivy scan step - Added a step to upload the generated SARIF file to the Security tab
Comments suppressed due to low confidence (3)
.github/workflows/trivy.yml:6
- The schedule entry has an extra dash and inconsistent indentation, which may break the YAML parsing. Align it as a single list item under
schedule:with a single dash and uniform spacing.
- - cron: "0 14 * * 1" # each Monday at 9am EST
.github/workflows/trivy.yml:35
- [nitpick] The
sarifinput is indented two spaces more than the other keys in this block. Adjust indentation to matchseverities:anddockerfile:for better readability.
sarif: ${{ !github.base_ref && env.SARIF_PATH || '' }}
.github/workflows/trivy.yml:37
- Consider adding an
idto this upload step (e.g.,id: upload-sarif) and ensureSARIF_PATHis defined or exported in the job’senvso the file reference is explicit and maintainable.
- name: Upload Trivy scan results to GitHub Security tab
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
|
Note trivy.yml findings in the security tab are from codeql, not trivy. |
upload sarif from trivy scans here to expose in the security tab