TehRiehlDeal/TehRiehlBudget
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make Trivy image-scan failures readable in the job log
CI / test (push) Successful in 25s
Details
CI / lint (push) Successful in 27s
Details
CI / vuln-scan (push) Successful in 12s
Details
CI / sast (push) Successful in 10s
Details
CI / build-images (push) Successful in 2m19s
Details
CI / secrets-scan (push) Successful in 5s
Details
CI / image-scan (push) Failing after 1m3s
Details
CI / push (push) Has been skipped
Details

Browse Source 
The previous gate step wrote findings only to a SARIF file, so when the
scan exited 1 the job log showed nothing — no way to see what was
flagged without downloading the artifact, which itself failed to upload
because the frontend scan never ran and upload-artifact@v3 errors out
when a listed path is missing.

Run Trivy twice per service: first with --format table (no exit-code
gate) so the finding list lands in stdout, then with --format sarif and
--exit-code 1 for the actual gate and the artifact. The DB is cached
between the two runs so the second invocation is fast.

Also add `if-no-files-found: warn` to the artifact upload and `if:
always()` to the frontend scan step so partial reports still upload.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kevin Riehl
2026-05-06 16:18:25 -07:00
parent b2bc6ba9ca
commit 6f626d0c22
1 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/ci.yml
+22
View File
@@ -215,6 +215,17 @@ jobs:
- name: Trivy image scan — backend (HIGH/CRITICAL gate)
run: |
# Print the finding table to the job log first so the cause of any
# failure is visible inline (the SARIF run below writes only to file).
# The DB downloaded here is cached for the SARIF run that follows.
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy:latest image \
--severity HIGH,CRITICAL \
--ignore-unfixed \
--format table \
tehriehlbudget-backend:${SHA_SHORT} || true
# Real gate + SARIF artifact.
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "$PWD:/src" \
@@ -226,7 +237,15 @@ jobs:
tehriehlbudget-backend:${SHA_SHORT}
- name: Trivy image scan — frontend (HIGH/CRITICAL gate)
if: always()
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy:latest image \
--severity HIGH,CRITICAL \
--ignore-unfixed \
--format table \
tehriehlbudget-frontend:${SHA_SHORT} || true
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "$PWD:/src" \
@@ -261,6 +280,9 @@ jobs:
if: always()
with:
name: trivy-image-reports
# `warn` so the upload doesn't fail the run if a SARIF/SBOM is
# missing because an earlier scan step short-circuited.
if-no-files-found: warn
path: |
trivy-image-backend.sarif
trivy-image-frontend.sarif