From e8a513541f4d45d55e94727bec2ed271413ef700 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 24 Feb 2026 06:22:03 +0000 Subject: [PATCH] fix: enhance Trivy scan result uploads with conditional checks and category tagging --- .github/workflows/docker-build.yml | 37 +++++++++++++++++++++++++++++- docs/reports/qa_report.md | 34 +++++++++++++++++++++++++++ 2 files changed, 70 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index f6c11e4b..901a1a3c 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -561,6 +561,7 @@ jobs: uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 with: sarif_file: 'trivy-results.sarif' + category: '.github/workflows/docker-build.yml:build-and-push' token: ${{ secrets.GITHUB_TOKEN }} # Generate SBOM (Software Bill of Materials) for supply chain security @@ -702,13 +703,47 @@ jobs: exit-code: '1' # Intended to block, but continued on error for now continue-on-error: true - - name: Upload Trivy scan results + - name: Check Trivy PR SARIF exists if: always() + id: trivy-pr-check + run: | + if [ -f trivy-pr-results.sarif ]; then + echo "exists=true" >> "$GITHUB_OUTPUT" + else + echo "exists=false" >> "$GITHUB_OUTPUT" + fi + + - name: Upload Trivy scan results + if: always() && steps.trivy-pr-check.outputs.exists == 'true' uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 with: sarif_file: 'trivy-pr-results.sarif' category: 'docker-pr-image' + - name: Upload Trivy compatibility results (docker-build category) + if: always() && steps.trivy-pr-check.outputs.exists == 'true' + uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 + with: + sarif_file: 'trivy-pr-results.sarif' + category: '.github/workflows/docker-build.yml:build-and-push' + continue-on-error: true + + - name: Upload Trivy compatibility results (docker-publish alias) + if: always() && steps.trivy-pr-check.outputs.exists == 'true' + uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 + with: + sarif_file: 'trivy-pr-results.sarif' + category: '.github/workflows/docker-publish.yml:build-and-push' + continue-on-error: true + + - name: Upload Trivy compatibility results (nightly alias) + if: always() && steps.trivy-pr-check.outputs.exists == 'true' + uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e # v4.32.4 + with: + sarif_file: 'trivy-pr-results.sarif' + category: 'trivy-nightly' + continue-on-error: true + - name: Create scan summary if: always() run: | diff --git a/docs/reports/qa_report.md b/docs/reports/qa_report.md index 1349137c..94cd495b 100644 --- a/docs/reports/qa_report.md +++ b/docs/reports/qa_report.md @@ -197,3 +197,37 @@ PR-3 is **ready to merge** with no open QA blockers. - Initial Playwright run saw container availability drop (`ECONNREFUSED`); after E2E environment rebuild and deterministic rerun, gate passed. - Initial pre-commit run required one automatic EOF fix and passed on rerun. - Shell working-directory drift caused temporary command-not-found noise for root-level security scripts; rerun from repo root passed. + +--- + +## Workflow Fix Validation — GHAS Trivy Compatibility (`docker-build.yml`) + +- Date: 2026-02-24 +- Scope: `.github/workflows/docker-build.yml` only +- Result: **PASS** + +### Checks Run + +1. Workflow lint/syntax: + - `go run github.com/rhysd/actionlint/cmd/actionlint@latest .github/workflows/docker-build.yml` → `actionlint: OK` + - `python3` YAML parse (`yaml.safe_load`) for `.github/workflows/docker-build.yml` → `YAML parse: OK` +2. Guard/category placement validation: + - Verified Trivy compatibility uploads are gated with `if: always() && steps.trivy-pr-check.outputs.exists == 'true'`. + - Verified compatibility uploads are non-blocking via `continue-on-error: true`. + - Verified category aliases present: + - `.github/workflows/docker-build.yml:build-and-push` + - `.github/workflows/docker-publish.yml:build-and-push` + - `trivy-nightly` + - Verified main Trivy SARIF upload for non-PR path now explicitly sets category `.github/workflows/docker-build.yml:build-and-push`. +3. Security regression review (workflow logic only): + - Patch is additive for SARIF upload routing/compatibility and existence guard. + - No new secret exposure, token scope elevation, or privilege expansion introduced. + - No blocking behavior added to compatibility uploads. + +### Blockers + +- None. + +### Proceed Recommendation + +- **Proceed**. Workflow-only GHAS Trivy compatibility patch is validated and safe to merge.