diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml index e6f330269..d6f0a6e48 100644 --- a/.github/workflows/release-arm.yaml +++ b/.github/workflows/release-arm.yaml @@ -294,15 +294,21 @@ jobs: build/*scan-reports.tar.gz - name: Prepare sarif files 🔧 run: | - mkdir sarif - sudo mv build/*.sarif sarif/ + mkdir trivy-sarif grype-sarif + sudo mv build/*trivy.sarif trivy-sarif/ + sudo mv build/*grype.sarif grype-sarif/ - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3 if: startsWith(github.ref, 'refs/tags/') with: - sarif_file: 'sarif' - category: ${{ matrix.flavor }} - + sarif_file: 'trivy-sarif' + category: ${{ matrix.flavor }}-trivy + - name: Upload Grype scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3 + if: startsWith(github.ref, 'refs/tags/') + with: + sarif_file: 'grype-sarif' + category: ${{ matrix.flavor }}-grype build-arm-standard: runs-on: ARM64 needs: @@ -395,14 +401,21 @@ jobs: build/*scan-reports.tar.gz - name: Prepare sarif files 🔧 run: | - mkdir sarif - sudo mv build/*.sarif sarif/ + mkdir trivy-sarif grype-sarif + sudo mv build/*trivy.sarif trivy-sarif/ + sudo mv build/*grype.sarif grype-sarif/ - name: Upload Trivy scan results to GitHub Security tab if: startsWith(github.ref, 'refs/tags/') uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3 with: - sarif_file: 'sarif' - category: ${{ matrix.flavor }} + sarif_file: 'trivy-sarif' + category: ${{ matrix.flavor }}-trivy + - name: Upload Grype scan results to GitHub Security tab + if: startsWith(github.ref, 'refs/tags/') + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3 + with: + sarif_file: 'grype-sarif' + category: ${{ matrix.flavor }}-grype - name: Space stats if: always() run: | diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8f5732fca..d37343907 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -193,8 +193,9 @@ jobs: --output-signature="${filename}.sig" "${filename}" - name: Prepare files for release run: | - mkdir sarif - mv release/*.sarif sarif/ + mkdir trivy-sarif grype-sarif + sudo mv release/*trivy.sarif trivy-sarif/ + sudo mv release/*grype.sarif grype-sarif/ mkdir reports mv release/*.json reports/ cd reports @@ -213,8 +214,14 @@ jobs: uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3 if: startsWith(github.ref, 'refs/tags/') with: - sarif_file: 'sarif' - category: ${{ matrix.flavor }} + sarif_file: 'trivy-sarif' + category: ${{ matrix.flavor }}-trivy + - name: Upload Grype scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3 + if: startsWith(github.ref, 'refs/tags/') + with: + sarif_file: 'grype-sarif' + category: ${{ matrix.flavor }}-grype build-core-uki: runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/reusable-build-flavor.yaml b/.github/workflows/reusable-build-flavor.yaml index 2231f18a3..ec9023e59 100644 --- a/.github/workflows/reusable-build-flavor.yaml +++ b/.github/workflows/reusable-build-flavor.yaml @@ -135,14 +135,21 @@ jobs: sudo mv build/* . sudo rm -rf build - mkdir sarif - mv *.sarif sarif/ + mkdir trivy-sarif grype-sarif + sudo mv release/*trivy.sarif trivy-sarif/ + sudo mv release/*grype.sarif grype-sarif/ - name: Upload Trivy scan results to GitHub Security tab if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3 with: - sarif_file: 'sarif' - category: ${{ inputs.flavor }}-${{ inputs.flavor_release }} + sarif_file: 'trivy-sarif' + category: ${{ inputs.flavor }}-${{ inputs.flavor_release }}-trivy + - name: Upload Grype scan results to GitHub Security tab + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3 + with: + sarif_file: 'grype-sarif' + category: ${{ inputs.flavor }}-${{ inputs.flavor_release }}-grype - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4 with: name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip diff --git a/.github/workflows/reusable-docker-arm-build.yaml b/.github/workflows/reusable-docker-arm-build.yaml index 76105d673..888c52d82 100644 --- a/.github/workflows/reusable-docker-arm-build.yaml +++ b/.github/workflows/reusable-docker-arm-build.yaml @@ -194,25 +194,21 @@ jobs: - name: Prepare sarif files 🔧 if: startsWith(github.ref, 'refs/tags/v') run: | - mkdir sarif - sudo mv build/*.sarif sarif/ + mkdir trivy-sarif grype-sarif + sudo mv build/*trivy.sarif trivy-sarif/ + sudo mv build/*grype.sarif grype-sarif/ - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3 if: startsWith(github.ref, 'refs/tags/v') with: - sarif_file: 'sarif' - category: ${{ matrix.flavor }} - - name: Prepare sarif files 🔧 - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - run: | - mkdir sarif - sudo mv build/*.sarif sarif/ - - name: Upload Trivy scan results to GitHub Security tab + sarif_file: 'trivy-sarif' + category: ${{ matrix.flavor }}-trivy + - name: Upload Grype scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3 - if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + if: startsWith(github.ref, 'refs/tags/v') with: - sarif_file: 'sarif' - category: ${{ inputs.flavor }} + sarif_file: 'grype-sarif' + category: ${{ matrix.flavor }}-grype - name: Upload results if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.model != 'nvidia-jetson-agx-orin' }} uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4