Skip to content

fix: [#437] restore third-party Trivy SARIF uploads#438

Merged
josecelano merged 1 commit intomainfrom
437-restore-third-party-trivy-sarif-uploads
Apr 9, 2026
Merged

fix: [#437] restore third-party Trivy SARIF uploads#438
josecelano merged 1 commit intomainfrom
437-restore-third-party-trivy-sarif-uploads

Conversation

@josecelano
Copy link
Copy Markdown
Member

@josecelano josecelano commented Apr 9, 2026
edited
Loading

Summary

Fix the Docker security scanning workflow so third-party Trivy SARIF results are uploaded through a supported path.

Changes

  • Add security-events: write permission to scan-third-party-images
  • Upload third-party SARIF directly with github/codeql-action/upload-sarif@v4
  • Use stable per-image categories: docker-third-party-${sanitized-image}
  • Remove the unsupported custom gh api /code-scanning/sarifs upload loop
  • Restrict aggregate uploader to project SARIF artifacts only

Why

The previous custom upload was failing with HTTP 422 ("category" is not a permitted key) and silently skipping third-party uploads, which caused PR warnings like configurations not found.

Validation

  • cargo run --bin linter yaml passes

Closes #437

@josecelano
fix: [#437] upload third-party Trivy SARIF with codeql action
b397688 
Replace the unsupported custom gh API SARIF upload loop (HTTP 422 on category)
with github/codeql-action/upload-sarif in the third-party matrix job.

This restores third-party code scanning uploads with stable per-image categories
and removes the broken dynamic upload loop from the aggregate upload job.
@josecelano josecelano self-assigned this Apr 9, 2026
@josecelano
Copy link
Copy Markdown
Member Author

josecelano commented Apr 9, 2026

ACK b397688

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 9, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@josecelano josecelano merged commit 4daa4df into main Apr 9, 2026
41 of 47 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@josecelano josecelano

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(ci): restore third-party Trivy SARIF uploads (GitHub API rejects category field)

2 participants

@josecelano @github-advanced-security