@@ -51,25 +51,26 @@ jobs:
5151 uses : aquasecurity/trivy-action@master
5252 with :
5353 image-ref : " ${{ env.IMAGE }}:${{ inputs.image_tag || 'latest' }}"
54- format : " table "
55- output : " trivy-results.txt "
54+ format : " json "
55+ output : " trivy-results.json "
5656 trivy-config : trivy.yaml
57-
57+
5858 - name : Check for vulnerabilities
5959 id : check
6060 run : |
61- if [ -s trivy-results.txt ] && grep -qE "Total: [1-9]" trivy-results.txt; then
61+ VULN_COUNT=$(jq '[.Results[]? | .Vulnerabilities[]?] | length' trivy-results.json)
62+ if [ "$VULN_COUNT" -gt 0 ]; then
6263 echo "has_vulnerabilities=true" >> "$GITHUB_OUTPUT"
6364 else
6465 echo "has_vulnerabilities=false" >> "$GITHUB_OUTPUT"
6566 fi
66-
67+
6768name : Upload scan results
6869 if : steps.check.outputs.has_vulnerabilities == 'true' || inputs.force_analysis == true
6970 uses : actions/upload-artifact@v4
7071 with :
7172 name : trivy-results
72- path : trivy-results.txt
73+ path : trivy-results.json
7374 retention-days : 30
7475
7576 - name : Write Trivy summary
@@ -79,15 +80,15 @@ jobs:
7980 echo "**Image:** \`${{ env.IMAGE }}:${{ inputs.image_tag || 'latest' }}\`" >> "$GITHUB_STEP_SUMMARY"
8081 echo "" >> "$GITHUB_STEP_SUMMARY"
8182 if [ "${{ steps.check.outputs.has_vulnerabilities }}" = "true" ]; then
82- echo "Vulnerabilities detected. Results uploaded as artifact." >> "$GITHUB_STEP_SUMMARY"
83- echo "" >> "$GITHUB_STEP_SUMMARY"
84- echo "<details><summary>Trivy output</summary>" >> "$GITHUB_STEP_SUMMARY"
85- echo "" >> "$GITHUB_STEP_SUMMARY"
86- echo '```' >> "$GITHUB_STEP_SUMMARY"
87- cat trivy-results.txt >> "$GITHUB_STEP_SUMMARY"
88- echo '```' >> "$GITHUB_STEP_SUMMARY"
83+ VULN_COUNT=$(jq '[.Results[]? | .Vulnerabilities[]?] | length' trivy-results.json)
84+ CRIT_COUNT=$(jq '[.Results[]? | .Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length' trivy-results.json)
85+ HIGH_COUNT=$(jq '[.Results[]? | .Vulnerabilities[]? | select(.Severity == "HIGH")] | length' trivy-results.json)
86+ MED_COUNT=$(jq '[.Results[]? | .Vulnerabilities[]? | select(.Severity == "MEDIUM")] | length' trivy-results.json)
87+ echo "**$VULN_COUNT** vulnerabilities found: **$CRIT_COUNT** critical, **$HIGH_COUNT** high, **$MED_COUNT** medium." >> "$GITHUB_STEP_SUMMARY"
8988 echo "" >> "$GITHUB_STEP_SUMMARY"
90- echo "</details>" >> "$GITHUB_STEP_SUMMARY"
89+ echo "| CVE ID | Severity | Package | Installed | Fixed |" >> "$GITHUB_STEP_SUMMARY"
90+ echo "|--------|----------|---------|-----------|-------|" >> "$GITHUB_STEP_SUMMARY"
91+ jq -r '[.Results[]? | .Vulnerabilities[]?] | sort_by(.Severity) | .[] | "| \(.VulnerabilityID) | \(.Severity) | \(.PkgName) | \(.InstalledVersion) | \(.FixedVersion // "N/A") |"' trivy-results.json >> "$GITHUB_STEP_SUMMARY"
9192 else
9293 echo "No vulnerabilities found." >> "$GITHUB_STEP_SUMMARY"
9394 fi
@@ -219,8 +220,8 @@ jobs:
219220
220221 - name : Ensure Trivy results file exists
221222 run : |
222- if [ ! -f trivy-results.txt ]; then
223- echo "No Trivy vulnerabilities found." > trivy-results.txt
223+ if [ ! -f trivy-results.json ]; then
224+ echo '{"Results":[]}' > trivy-results.json
224225 fi
225226
226227name : Fetch Dependabot alerts
@@ -389,7 +390,7 @@ jobs:
389390 You are a security engineer triaging vulnerabilities and security findings for the Sourcebot Docker image.
390391 You have three data sources to analyze:
391392
392- 1. **Trivy scan results** in `trivy-results.txt ` — container image vulnerability scan
393+ 1. **Trivy scan results** in `trivy-results.json ` — container image vulnerability scan (JSON format with `Results[].Vulnerabilities[]` array)
393394 2. **Dependabot alerts** in `dependabot-alerts.json` — GitHub dependency vulnerability alerts
394395 3. **CodeQL alerts** in `codeql-alerts.json` — GitHub code scanning findings
395396
0 commit comments