fix: enhance Trivy scan result uploads with conditional checks and category tagging

2026-02-24 06:22:03 +00:00
parent bc9f2cf882
commit e8a513541f
2 changed files with 70 additions and 1 deletions
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -561,6 +561,7 @@ jobs:
        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          sarif_file: 'trivy-results.sarif'
+          category: '.github/workflows/docker-build.yml:build-and-push'
          token: ${{ secrets.GITHUB_TOKEN }}

      # Generate SBOM (Software Bill of Materials) for supply chain security
@@ -702,13 +703,47 @@ jobs:
          exit-code: '1'  # Intended to block, but continued on error for now
        continue-on-error: true

-      - name: Upload Trivy scan results
+      - name: Check Trivy PR SARIF exists
        if: always()
+        id: trivy-pr-check
+        run: |
+          if [ -f trivy-pr-results.sarif ]; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Upload Trivy scan results
+        if: always() && steps.trivy-pr-check.outputs.exists == 'true'
        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
        with:
          sarif_file: 'trivy-pr-results.sarif'
          category: 'docker-pr-image'

+      - name: Upload Trivy compatibility results (docker-build category)
+        if: always() && steps.trivy-pr-check.outputs.exists == 'true'
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        with:
+          sarif_file: 'trivy-pr-results.sarif'
+          category: '.github/workflows/docker-build.yml:build-and-push'
+        continue-on-error: true
+
+      - name: Upload Trivy compatibility results (docker-publish alias)
+        if: always() && steps.trivy-pr-check.outputs.exists == 'true'
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        with:
+          sarif_file: 'trivy-pr-results.sarif'
+          category: '.github/workflows/docker-publish.yml:build-and-push'
+        continue-on-error: true
+
+      - name: Upload Trivy compatibility results (nightly alias)
+        if: always() && steps.trivy-pr-check.outputs.exists == 'true'
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4
+        with:
+          sarif_file: 'trivy-pr-results.sarif'
+          category: 'trivy-nightly'
+        continue-on-error: true
+
      - name: Create scan summary
        if: always()
        run: |
--- a/docs/reports/qa_report.md
+++ b/docs/reports/qa_report.md
@@ -197,3 +197,37 @@ PR-3 is **ready to merge** with no open QA blockers.
 	- Initial Playwright run saw container availability drop (`ECONNREFUSED`); after E2E environment rebuild and deterministic rerun, gate passed.
 	- Initial pre-commit run required one automatic EOF fix and passed on rerun.
 	- Shell working-directory drift caused temporary command-not-found noise for root-level security scripts; rerun from repo root passed.
+
+---
+
+## Workflow Fix Validation — GHAS Trivy Compatibility (`docker-build.yml`)
+
+- Date: 2026-02-24
+- Scope: `.github/workflows/docker-build.yml` only
+- Result: **PASS**
+
+### Checks Run
+
+1. Workflow lint/syntax:
+	- `go run github.com/rhysd/actionlint/cmd/actionlint@latest .github/workflows/docker-build.yml` → `actionlint: OK`
+	- `python3` YAML parse (`yaml.safe_load`) for `.github/workflows/docker-build.yml` → `YAML parse: OK`
+2. Guard/category placement validation:
+	- Verified Trivy compatibility uploads are gated with `if: always() && steps.trivy-pr-check.outputs.exists == 'true'`.
+	- Verified compatibility uploads are non-blocking via `continue-on-error: true`.
+	- Verified category aliases present:
+	  - `.github/workflows/docker-build.yml:build-and-push`
+	  - `.github/workflows/docker-publish.yml:build-and-push`
+	  - `trivy-nightly`
+	- Verified main Trivy SARIF upload for non-PR path now explicitly sets category `.github/workflows/docker-build.yml:build-and-push`.
+3. Security regression review (workflow logic only):
+	- Patch is additive for SARIF upload routing/compatibility and existence guard.
+	- No new secret exposure, token scope elevation, or privilege expansion introduced.
+	- No blocking behavior added to compatibility uploads.
+
+### Blockers
+
+- None.
+
+### Proceed Recommendation
+
+- **Proceed**. Workflow-only GHAS Trivy compatibility patch is validated and safe to merge.