From 5b565cb9a44b065af27923d77c7bbb56aad30c9e Mon Sep 17 00:00:00 2001 From: Bruno Oliveira da Silva Date: Fri, 14 Feb 2025 10:27:48 -0300 Subject: [PATCH] Trivy workflow is not reporting issues on other branches [24.0] (#37335) Trivy workflow is not reporting issues on other branches Closes #37331 Co-authored-by: Jon Koops Signed-off-by: Bruno Oliveira da Silva --- .github/workflows/trivy-analysis.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml index e26e9db2771..e35937c300b 100644 --- a/.github/workflows/trivy-analysis.yml +++ b/.github/workflows/trivy-analysis.yml @@ -10,7 +10,7 @@ defaults: jobs: analysis: - name: Vulnerability scanner for nightly containers + name: Vulnerability scanner for containers runs-on: ubuntu-latest if: github.repository == 'keycloak/keycloak' strategy: @@ -18,17 +18,26 @@ jobs: container: [keycloak, keycloak-operator] fail-fast: false steps: + - name: Extract release ID + id: release + run: echo "id=${GITHUB_REF#refs/heads/release/}" >> $GITHUB_OUTPUT + + - name: Checkout code + uses: actions/checkout@v4 + - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d + uses: aquasecurity/trivy-action@0.29.0 with: - image-ref: quay.io/keycloak/${{ matrix.container}}:nightly - format: template - template: '@/contrib/sarif.tpl' + image-ref: quay.io/keycloak/${{ matrix.container }}:${{ steps.release.outputs.id }} + format: sarif output: trivy-results.sarif severity: MEDIUM,CRITICAL,HIGH ignore-unfixed: true security-checks: vuln timeout: 15m + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3