fix: proper Trivy SARIF upload control

samuelho-dev · claude · samuelho-dev · commit b404926c1e4a · 2026-01-07T04:05:20.000-08:00
- Add upload-sarif input parameter (default: false) - Always run Trivy with table format for visible output in logs - Only generate SARIF and upload when upload-sarif: true - Removes need for continue-on-error workaround - Repos without GitHub Advanced Security can still see scan results 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml
@@ -62,6 +62,11 @@ on:
         required: false
         type: string
         default: 'HIGH,CRITICAL'
+      upload-sarif:
+        description: 'Upload SARIF to GitHub Security (requires Code Scanning enabled)'
+        required: false
+        type: boolean
+        default: false
     secrets:
       registry-username:
         description: 'Registry username'
@@ -160,9 +165,19 @@ jobs:
           provenance: true
           sbom: false
 
-      - name: Run Trivy vulnerability scanner
+      - name: Run Trivy vulnerability scanner (table output)
         if: inputs.scan
         uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        with:
+          image-ref: ${{ inputs.registry }}/${{ github.repository_owner }}/${{ inputs.image }}@${{ steps.build.outputs.digest }}
+          format: 'table'
+          severity: ${{ inputs.severity }}
+          timeout: '10m'
+          exit-code: '0' # Don't fail on vulnerabilities, just report
+
+      - name: Run Trivy vulnerability scanner (SARIF output)
+        if: inputs.scan && inputs.upload-sarif
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
         with:
           image-ref: ${{ inputs.registry }}/${{ github.repository_owner }}/${{ inputs.image }}@${{ steps.build.outputs.digest }}
           format: 'sarif'
@@ -171,8 +186,7 @@ jobs:
           timeout: '10m'
 
       - name: Upload Trivy scan results to GitHub Security
-        if: inputs.scan
-        continue-on-error: true # Don't fail build if upload fails (permissions issue)
+        if: inputs.scan && inputs.upload-sarif
         uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           sarif_file: 'trivy-results.sarif'
