CI: Fix Trivy scan refs and guard SARIF upload; use metadata tags for docker-build scan; add outcome gating

2025-11-18 17:57:52 -05:00
parent 8434121dd1
commit ffa1bd9af7
2 changed files with 8 additions and 6 deletions
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -76,6 +76,7 @@ jobs:

      - name: Run Trivy vulnerability scanner
        if: github.event_name != 'pull_request'
+        id: trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
@@ -83,16 +84,15 @@ jobs:
          output: 'trivy-results.sarif'

      - name: Upload Trivy results to GitHub Security
-        if: github.event_name != 'pull_request'
+        if: github.event_name != 'pull_request' && steps.trivy.outcome == 'success'
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Run Trivy scan (table output)
-        if: github.event_name != 'pull_request'
+        if: github.event_name != 'pull_request' && steps.trivy.outcome == 'success'
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
          format: 'table'
          severity: 'CRITICAL,HIGH'
-