trivy-action
trivy-action copied to clipboard
aquasecurity
Break workflow when using sarif
Hi
Im trying to run trivy, generate a sarif report, upload the artifact, and then, depending on the vulnerabilities, break the workflow or allow it to continue.
Im setting something like this:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'javidr/vulnerbank:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
exit-code: '1'
severity: 'LOW'
- name: Upload artifact
uses: actions/upload-artifact@v2
with:
name: trivy report
path: 'trivy-results.sarif'
If i set exit-code, then, the upload artifact step is not executed. Is there any way to do it? Maybe upload artifact can be embedded as an option in the action?
Thanks
hi @javixeneize - you could set a conditional of - if: always() with your Upload artifact step.
Something like this:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'javidr/vulnerbank:latest'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
exit-code: '1'
severity: 'LOW'
- if: always()
name: Upload artifact
uses: actions/upload-artifact@v2
with:
name: trivy report
path: 'trivy-results.sarif'
More details here https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions
Hope that helps.
Yeah it should work, but maybe it is also a good idea to add an option do save the report directly inside the action without having to add that step
Thanks!