Add further changes to GH actions to fix page upload and trivy SARIF …

…upload
finos · Sep 5, 2024 · 7437825 · 7437825
1 parent 5f1f453
commit 7437825
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 9 deletions.
diff --git a/.github/conf/trivy.yaml b/.github/conf/trivy.yaml
@@ -29,5 +29,5 @@ scan:
 #   - CRITICAL
 #   - UNKNOWN
 
-# vulnerability:
-#   ignore-unfixed: true
+vulnerability:
+  ignore-unfixed: true
diff --git a/.github/workflows/doc_builder.yaml b/.github/workflows/doc_builder.yaml
@@ -14,7 +14,8 @@ jobs:
   build:
     name: Deploy docs
     permissions:
-      contents: write # for actions/checkout to fetch code
+      contents: write # for actions/checkout to fetch code and  creating gh-pages
+      pages: write # for creating github pages
       security-events: write # for creating github pages
     runs-on: ubuntu-latest
 

diff --git a/.github/workflows/iac_scan.yaml b/.github/workflows/iac_scan.yaml
@@ -25,25 +25,29 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run trivy in fs mode and generate report
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.20.0
         with:
           scan-type: 'fs'
-          ignore-unfixed: true
+          # ignore-unfixed: true
           trivy-config: ".github/conf/trivy.yaml"
           trivyignores: ".github/conf/.trivyignore"
+          exit-code: '0'
           # severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-          # output: ${{ env.TRIVY_REPORT_FILE }} # This flag doesnt seem to be working.
-        env:
-          TRIVY_OUTPUT: ${{ env.TRIVY_REPORT_FILE }}
+          # format: 'sarif'
+          output: ${{ env.TRIVY_REPORT_FILE }} # This flag doesnt seem to be working.
+        # env:
+        #   TRIVY_OUTPUT: ${{ env.TRIVY_REPORT_FILE }}
 
       # As per the following issue/solution: https://github.com/aquasecurity/trivy/issues/5003
       - name: Fix trivy SARIF report for URI scheme
         run: |-
+          # cat ${{ env.TRIVY_REPORT_FILE }}
           sed -i 's#git::https:/##g' ${{ env.TRIVY_REPORT_FILE }}
+          # diff -w ${{ env.TRIVY_REPORT_FILE }} "${{ env.TRIVY_REPORT_FILE }}.bak"
 
       - name: Upload trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
-        if: success() || failure()
+        # if: success() || failure()
         with:
           sarif_file: "${{ env.TRIVY_REPORT_FILE }}"