How to get the exit code of the trivy-action?

[sumanth-lingappa]

My workflow file is HERE

I would like to fail the workflow if the trivy-action found vulnerabilities. I have done this in my bandit workflow in the same repo

Since I am using the trivy-action, I am unable to get the exit-code of the trivy-action run.

Can anyone please help?

[nikpivkin]

Hi @sumanth-lingappa !

The README contains examples of how to use the action and a description of the arguments. To terminate a workflow with an error, pass the exit-code: '1' argument. Don't forget to specify the if: always() condition if you want to load the results to the security page regardless of the status of the workflow.

[sumanth-lingappa]

Thank you @nikpivkin for your reply,

In which step should I pass if: always()?

[nikpivkin]

@sumanth-lingappa At the upload step of the report, for example, when using upload-sarif.

[sumanth-lingappa]

@nikpivkin, I have updated my trivy workflow as you mentioned. However, the trivy scan is failing, but there is no such activity in security tab. Please help. Workflow file: HERE Reference Pull request: https://github.com/netscaler/ansible-collection-netscaleradc/pull/411

Trivy workflow details: https://github.com/netscaler/ansible-collection-netscaleradc/actions/runs/8684242656/job/23811506482?pr=411

[nikpivkin]

@sumanth-lingappa Try changing the filter to this pr:<pr_num> tool:Trivy is:open https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests

[sumanth-lingappa]

Thank you @nikpivkin, I get the results now.

I used to get a GitHub comment before (Ref: PR#390. But I dont get this anymore? Can you please help how can I get a comment from github-advanced-security via TRIVY as below?

[nikpivkin]

Unfortunately I can't help with this and I don't think it's related to Trivy. Try to find it in the documentation.

[sumanth-lingappa]

Sure @nikpivkin, I will close this one then. Thanks a lot for your help.