Skip to content

Commit

Permalink
Split the uploading of trivy and grype results (#2860)
Browse files Browse the repository at this point in the history
as suggested here:

github/codeql-action#2476 (comment)

Signed-off-by: Dimitris Karakasilis <[email protected]>
  • Loading branch information
jimmykarily authored Sep 16, 2024
1 parent 7b9fb8a commit f78ad12
Show file tree
Hide file tree
Showing 4 changed files with 53 additions and 30 deletions.
31 changes: 22 additions & 9 deletions .github/workflows/release-arm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -294,15 +294,21 @@ jobs:
build/*scan-reports.tar.gz
- name: Prepare sarif files 🔧
run: |
mkdir sarif
sudo mv build/*.sarif sarif/
mkdir trivy-sarif grype-sarif
sudo mv build/*trivy.sarif trivy-sarif/
sudo mv build/*grype.sarif grype-sarif/
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
if: startsWith(github.ref, 'refs/tags/')
with:
sarif_file: 'sarif'
category: ${{ matrix.flavor }}

sarif_file: 'trivy-sarif'
category: ${{ matrix.flavor }}-trivy
- name: Upload Grype scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
if: startsWith(github.ref, 'refs/tags/')
with:
sarif_file: 'grype-sarif'
category: ${{ matrix.flavor }}-grype
build-arm-standard:
runs-on: ARM64
needs:
Expand Down Expand Up @@ -395,14 +401,21 @@ jobs:
build/*scan-reports.tar.gz
- name: Prepare sarif files 🔧
run: |
mkdir sarif
sudo mv build/*.sarif sarif/
mkdir trivy-sarif grype-sarif
sudo mv build/*trivy.sarif trivy-sarif/
sudo mv build/*grype.sarif grype-sarif/
- name: Upload Trivy scan results to GitHub Security tab
if: startsWith(github.ref, 'refs/tags/')
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
with:
sarif_file: 'sarif'
category: ${{ matrix.flavor }}
sarif_file: 'trivy-sarif'
category: ${{ matrix.flavor }}-trivy
- name: Upload Grype scan results to GitHub Security tab
if: startsWith(github.ref, 'refs/tags/')
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
with:
sarif_file: 'grype-sarif'
category: ${{ matrix.flavor }}-grype
- name: Space stats
if: always()
run: |
Expand Down
15 changes: 11 additions & 4 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -193,8 +193,9 @@ jobs:
--output-signature="${filename}.sig" "${filename}"
- name: Prepare files for release
run: |
mkdir sarif
mv release/*.sarif sarif/
mkdir trivy-sarif grype-sarif
sudo mv release/*trivy.sarif trivy-sarif/
sudo mv release/*grype.sarif grype-sarif/
mkdir reports
mv release/*.json reports/
cd reports
Expand All @@ -213,8 +214,14 @@ jobs:
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
if: startsWith(github.ref, 'refs/tags/')
with:
sarif_file: 'sarif'
category: ${{ matrix.flavor }}
sarif_file: 'trivy-sarif'
category: ${{ matrix.flavor }}-trivy
- name: Upload Grype scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
if: startsWith(github.ref, 'refs/tags/')
with:
sarif_file: 'grype-sarif'
category: ${{ matrix.flavor }}-grype
build-core-uki:
runs-on: ubuntu-latest
permissions:
Expand Down
15 changes: 11 additions & 4 deletions .github/workflows/reusable-build-flavor.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -135,14 +135,21 @@ jobs:
sudo mv build/* .
sudo rm -rf build
mkdir sarif
mv *.sarif sarif/
mkdir trivy-sarif grype-sarif
sudo mv release/*trivy.sarif trivy-sarif/
sudo mv release/*grype.sarif grype-sarif/
- name: Upload Trivy scan results to GitHub Security tab
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
with:
sarif_file: 'sarif'
category: ${{ inputs.flavor }}-${{ inputs.flavor_release }}
sarif_file: 'trivy-sarif'
category: ${{ inputs.flavor }}-${{ inputs.flavor_release }}-trivy
- name: Upload Grype scan results to GitHub Security tab
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
with:
sarif_file: 'grype-sarif'
category: ${{ inputs.flavor }}-${{ inputs.flavor_release }}-grype
- uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4
with:
name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip
Expand Down
22 changes: 9 additions & 13 deletions .github/workflows/reusable-docker-arm-build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -194,25 +194,21 @@ jobs:
- name: Prepare sarif files 🔧
if: startsWith(github.ref, 'refs/tags/v')
run: |
mkdir sarif
sudo mv build/*.sarif sarif/
mkdir trivy-sarif grype-sarif
sudo mv build/*trivy.sarif trivy-sarif/
sudo mv build/*grype.sarif grype-sarif/
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
if: startsWith(github.ref, 'refs/tags/v')
with:
sarif_file: 'sarif'
category: ${{ matrix.flavor }}
- name: Prepare sarif files 🔧
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
run: |
mkdir sarif
sudo mv build/*.sarif sarif/
- name: Upload Trivy scan results to GitHub Security tab
sarif_file: 'trivy-sarif'
category: ${{ matrix.flavor }}-trivy
- name: Upload Grype scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
if: startsWith(github.ref, 'refs/tags/v')
with:
sarif_file: 'sarif'
category: ${{ inputs.flavor }}
sarif_file: 'grype-sarif'
category: ${{ matrix.flavor }}-grype
- name: Upload results
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.model != 'nvidia-jetson-agx-orin' }}
uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4
Expand Down

0 comments on commit f78ad12

Please sign in to comment.