Trivy workflow is not reporting issues on other branches [24.0] (#37335)

Trivy workflow is not reporting issues on other branches Closes #37331 Co-authored-by: Jon Koops <jonkoops@gmail.com> Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>
2026-01-09 23:12:06 -03:30 · 2025-02-14 10:27:48 -03:00 · 2025-02-14 10:27:48 -03:00 · 5b565cb9a4
commit 5b565cb9a4
parent 3905f7fe2f
1 changed files with 14 additions and 5 deletions
--- a/.github/workflows/trivy-analysis.yml
+++ b/.github/workflows/trivy-analysis.yml
@ -10,7 +10,7 @@ defaults:
 jobs:

  analysis:
-    name: Vulnerability scanner for nightly containers
+    name: Vulnerability scanner for containers
    runs-on: ubuntu-latest
    if: github.repository == 'keycloak/keycloak'
    strategy:
@ -18,17 +18,26 @@ jobs:
        container: [keycloak, keycloak-operator]
      fail-fast: false
    steps:
+      - name: Extract release ID
+        id: release
+        run: echo "id=${GITHUB_REF#refs/heads/release/}" >> $GITHUB_OUTPUT
+        
+      - name: Checkout code
+        uses: actions/checkout@v4
+        
      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d
+        uses: aquasecurity/trivy-action@0.29.0
        with:
-          image-ref: quay.io/keycloak/${{ matrix.container}}:nightly
-          format: template
-          template: '@/contrib/sarif.tpl'
+          image-ref: quay.io/keycloak/${{ matrix.container }}:${{ steps.release.outputs.id }}
+          format: sarif
          output: trivy-results.sarif
          severity: MEDIUM,CRITICAL,HIGH
          ignore-unfixed: true
          security-checks: vuln
          timeout: 15m
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3