diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index 1f0826a6..1fd30820 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -554,18 +554,81 @@ jobs: echo "- Structured SARIF counts: CRITICAL=${CRITICAL_COUNT}, HIGH=${HIGH_COUNT}, MEDIUM=${MEDIUM_COUNT}" } >> "$GITHUB_STEP_SUMMARY" + # List all Critical/High/Medium findings with details for triage + # shellcheck disable=SC2016 + LIST_FINDINGS=' + .runs[] as $run + | ($run.tool.driver.rules // []) as $rules + | $run.results[]? + | . as $result + | ( + ( + if (($result.ruleIndex | type) == "number") then + ($rules[$result.ruleIndex] // {}) + else + {} + end + ) as $ruleByIndex + | ( + [$rules[]? | select((.id // "") == ($result.ruleId // ""))][0] // {} + ) as $ruleById + | ($ruleByIndex // $ruleById) as $rule + | ($rule.properties["security-severity"] // null) as $sev + | (try ($sev | tonumber) catch null) as $score + | select($score != null and $score >= 4.0) + | { + id: ($result.ruleId // "unknown"), + score: $score, + severity: ( + if $score >= 9.0 then "CRITICAL" + elif $score >= 7.0 then "HIGH" + else "MEDIUM" + end + ), + message: ($result.message.text // $rule.shortDescription.text // "no description")[0:120] + } + ) + ' + + echo "" + echo "=== Vulnerability Details ===" + jq -r "[ ${LIST_FINDINGS} ] | sort_by(-.score) | .[] | \"\\(.severity) (\\(.score)): \\(.id) — \\(.message)\"" trivy-nightly.sarif || true + echo "=============================" + echo "" + if [ "$CRITICAL_COUNT" -gt 0 ]; then echo "❌ Critical vulnerabilities found in nightly build (${CRITICAL_COUNT})" + { + echo "" + echo "### ❌ Critical CVEs blocking nightly" + echo '```' + jq -r "[ ${LIST_FINDINGS} | select(.severity == \"CRITICAL\") ] | sort_by(-.score) | .[] | \"\\(.id) (score: \\(.score)): \\(.message)\"" trivy-nightly.sarif || true + echo '```' + } >> "$GITHUB_STEP_SUMMARY" exit 1 fi if [ "$HIGH_COUNT" -gt 0 ]; then echo "❌ High vulnerabilities found in nightly build (${HIGH_COUNT})" + { + echo "" + echo "### ❌ High CVEs blocking nightly" + echo '```' + jq -r "[ ${LIST_FINDINGS} | select(.severity == \"HIGH\") ] | sort_by(-.score) | .[] | \"\\(.id) (score: \\(.score)): \\(.message)\"" trivy-nightly.sarif || true + echo '```' + } >> "$GITHUB_STEP_SUMMARY" exit 1 fi if [ "$MEDIUM_COUNT" -gt 0 ]; then echo "::warning::Medium vulnerabilities found in nightly build (${MEDIUM_COUNT}). Non-blocking by policy; triage with SLA per .github/security-severity-policy.yml" + { + echo "" + echo "### ⚠️ Medium CVEs (non-blocking)" + echo '```' + jq -r "[ ${LIST_FINDINGS} | select(.severity == \"MEDIUM\") ] | sort_by(-.score) | .[] | \"\\(.id) (score: \\(.score)): \\(.message)\"" trivy-nightly.sarif || true + echo '```' + } >> "$GITHUB_STEP_SUMMARY" fi echo "✅ No Critical/High vulnerabilities found"