From e68cf5eb09c0bdb1afb519a834758532e0603d2d Mon Sep 17 00:00:00 2001 From: Akhil Highflame Date: Wed, 18 Mar 2026 17:45:58 +0530 Subject: [PATCH] devops: Patching the trivy scan pipeline --- .github/workflows/pr-check.yml | 66 +++++++++++++++++----------------- 1 file changed, 34 insertions(+), 32 deletions(-) diff --git a/.github/workflows/pr-check.yml b/.github/workflows/pr-check.yml index 86994d2..8218967 100644 --- a/.github/workflows/pr-check.yml +++ b/.github/workflows/pr-check.yml @@ -103,52 +103,33 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: persist-credentials: true - - name: Trivy Scan - GitHub Security Report - if: ${{ env.GH_SEC_REPORT == 'true' }} - uses: aquasecurity/trivy-action@0.29.0 + - name: Manual Trivy Setup + uses: aquasecurity/setup-trivy@v0.2.5 with: - ignore-unfixed: true - scan-type: "fs" - cache: "true" - format: "sarif" - output: "${{ env.TRIVY_REPORT_FILE }}.sarif" - severity: "${{ env.TRIVY_SEVERITY }}" - - - name: Upload Report - GitHub Security Report - if: ${{ env.GH_SEC_REPORT == 'true' }} - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: "${{ env.TRIVY_REPORT_FILE }}.sarif" + cache: true + version: ${{ env.TRIVY_VER }} - name: Trivy Scan - Text Security Report + id: trivy_scan_txt if: ${{ env.GH_SEC_REPORT == 'false' }} - uses: aquasecurity/trivy-action@0.29.0 + uses: aquasecurity/trivy-action@0.35.0 + continue-on-error: true with: ignore-unfixed: true + skip-setup-trivy: true scan-type: "fs" - cache: "true" + cache: "false" format: "table" output: "${{ env.TRIVY_REPORT_FILE }}.txt" severity: "${{ env.TRIVY_SEVERITY }}" - - - name: Report Check - Text Security Report - if: ${{ env.GH_SEC_REPORT == 'false' }} - id: report_check - shell: bash - run: |- - if [[ -s ${{ env.TRIVY_REPORT_FILE }}.txt ]] ; then - echo "report_file=available" >> ${GITHUB_OUTPUT} - else - echo "report_file=unavailable" >> ${GITHUB_OUTPUT} - fi - cat ${{ env.TRIVY_REPORT_FILE }}.txt + exit-code: 1 - name: Upload Report - Text Security Report - if: ${{ env.GH_SEC_REPORT == 'false' && steps.report_check.outputs.report_file == 'available' }} + if: ${{ env.GH_SEC_REPORT == 'false' && steps.trivy_scan_txt.outcome == 'failure' }} uses: actions/upload-artifact@v4 with: name: "${{ env.TRIVY_REPORT_FILE }}" @@ -156,8 +137,29 @@ jobs: if-no-files-found: error retention-days: 1 + - name: Trivy Scan - GitHub Security Report + id: trivy_scan_sec + if: ${{ env.GH_SEC_REPORT == 'true' }} + uses: aquasecurity/trivy-action@0.35.0 + with: + ignore-unfixed: true + skip-setup-trivy: true + scan-type: "fs" + cache: "false" + format: "sarif" + output: "${{ env.TRIVY_REPORT_FILE }}.sarif" + severity: "${{ env.TRIVY_SEVERITY }}" + timeout: "${{ env.TRIVY_TIMEOUT }}" + exit-code: 1 + + - name: Upload Report - GitHub Security Report + if: ${{ env.GH_SEC_REPORT == 'true' && steps.trivy_scan_sec.outcome == 'failure' }} + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "${{ env.TRIVY_REPORT_FILE }}.sarif" + - name: Failing the Job - if: ${{ steps.report_check.outputs.report_file == 'available' }} + if: ${{ steps.trivy_scan_txt.outcome == 'failure' || steps.trivy_scan_sec.outcome == 'failure' }} shell: bash run: |- echo "Vulnerabilities Found.....!"