search

aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
763 stars 220 forks source link

Break workflow when using sarif #25

Open javixeneize opened 3 years ago

javixeneize commented 3 years ago

Hi

Im trying to run trivy, generate a sarif report, upload the artifact, and then, depending on the vulnerabilities, break the workflow or allow it to continue.

Im setting something like this:

  - name: Run Trivy vulnerability scanner
    uses: aquasecurity/trivy-action@master
    with:
      image-ref: 'javidr/vulnerbank:latest'
      format: 'template'
      template: '@/contrib/sarif.tpl'
      output: 'trivy-results.sarif'
      exit-code: '1'
      severity: 'LOW'
  - name: Upload artifact
    uses: actions/upload-artifact@v2
    with:
      name: trivy report
      path: 'trivy-results.sarif'

If i set exit-code, then, the upload artifact step is not executed. Is there any way to do it? Maybe upload artifact can be embedded as an option in the action?

Thanks

simar7 commented 3 years ago

hi @javixeneize - you could set a conditional of - if: always() with your Upload artifact step.

Something like this:

  - name: Run Trivy vulnerability scanner
    uses: aquasecurity/trivy-action@master
    with:
      image-ref: 'javidr/vulnerbank:latest'
      format: 'template'
      template: '@/contrib/sarif.tpl'
      output: 'trivy-results.sarif'
      exit-code: '1'
      severity: 'LOW'
  - if: always()
    name: Upload artifact
    uses: actions/upload-artifact@v2
    with:
      name: trivy report
      path: 'trivy-results.sarif'

More details here https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions

Hope that helps.

javixeneize commented 3 years ago

Yeah it should work, but maybe it is also a good idea to add an option do save the report directly inside the action without having to add that step

Thanks!