Open Loki-Afro opened 2 years ago
hi, is this your config? https://github.com/kaffeekrone/mail-drop/blob/main/.github/workflows/trivy-analysis.yml#L41 if so I don't see an exit code stanza that should make it fail.
@simar7 i don't think that's an issue in my config, even though it is suggested by the documentation here. thing is https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure
is is supposed to fail either way, isn't it?
@simar7 i don't think that's an issue in my config, even though it is suggested by the documentation here. thing is https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure
is is supposed to fail either way, isn't it?
yes but you need an exit-code
param in your config for trivy to return a non zero exit code so it can fail the pipeline. it's documented here https://github.com/aquasecurity/trivy-action#scan-ci-pipeline
Hi there,
we are using codeql already, and have Code scanning results / CodeQL in our repos. additionally with the following rule: Settings -> Code security and analysis -> Code Scanning -> Check Failure: High or higher / Only Errors
this is described here: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#defining-the-severities-causing-pull-request-check-failure
so my thought was, when adding trivy, we can simply go the same path, let it scan report errors, and the checkbox mentioned above will block the pr, here my trivy action for that matter:
since i wanted that the run is always successful no matter if issues were found or not, i removed the exit-code: 1 line - because why should i need it when following the github documentation mentioned above
with the above settings this leads to the following result: trivy-verify ( the action itself> -> green - good codeql find not something new -> green - good Code scanning Results / Trivy found 1 high. several medium -> red - good
but i am able to merge without complaints - not good
now finally the question: why am i able to merge this pr?
you can find that pr here: https://github.com/kaffeekrone/mail-drop/pull/1