Split the uploading of trivy and grype results (#2860)

as suggested here: github/codeql-action#2476 (comment) Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
kairos-io · Sep 16, 2024 · f78ad12 · f78ad12
1 parent 7b9fb8a
commit f78ad12
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 30 deletions.
diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml
@@ -294,15 +294,21 @@ jobs:
             build/*scan-reports.tar.gz
       - name: Prepare sarif files  🔧
         run: |
-          mkdir sarif
-          sudo mv build/*.sarif sarif/
+          mkdir trivy-sarif grype-sarif
+          sudo mv build/*trivy.sarif trivy-sarif/
+          sudo mv build/*grype.sarif grype-sarif/
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
         if: startsWith(github.ref, 'refs/tags/')
         with:
-          sarif_file: 'sarif'
-          category: ${{ matrix.flavor }}
-
+          sarif_file: 'trivy-sarif'
+          category: ${{ matrix.flavor }}-trivy
+      - name: Upload Grype scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          sarif_file: 'grype-sarif'
+          category: ${{ matrix.flavor }}-grype
   build-arm-standard:
     runs-on: ARM64
     needs:
@@ -395,14 +401,21 @@ jobs:
             build/*scan-reports.tar.gz
       - name: Prepare sarif files  🔧
         run: |
-          mkdir sarif
-          sudo mv build/*.sarif sarif/
+          mkdir trivy-sarif grype-sarif
+          sudo mv build/*trivy.sarif trivy-sarif/
+          sudo mv build/*grype.sarif grype-sarif/
       - name: Upload Trivy scan results to GitHub Security tab
         if: startsWith(github.ref, 'refs/tags/')
         uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
         with:
-          sarif_file: 'sarif'
-          category: ${{ matrix.flavor }}
+          sarif_file: 'trivy-sarif'
+          category: ${{ matrix.flavor }}-trivy
+      - name: Upload Grype scan results to GitHub Security tab
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
+        with:
+          sarif_file: 'grype-sarif'
+          category: ${{ matrix.flavor }}-grype
       - name: Space stats
         if: always()
         run: |

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -193,8 +193,9 @@ jobs:
                           --output-signature="${filename}.sig" "${filename}"
       - name: Prepare files for release
         run: |
-          mkdir sarif
-          mv release/*.sarif sarif/
+          mkdir trivy-sarif grype-sarif
+          sudo mv release/*trivy.sarif trivy-sarif/
+          sudo mv release/*grype.sarif grype-sarif/
           mkdir reports
           mv release/*.json reports/
           cd reports
@@ -213,8 +214,14 @@ jobs:
         uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
         if: startsWith(github.ref, 'refs/tags/')
         with:
-          sarif_file: 'sarif'
-          category: ${{ matrix.flavor }}
+          sarif_file: 'trivy-sarif'
+          category: ${{ matrix.flavor }}-trivy
+      - name: Upload Grype scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          sarif_file: 'grype-sarif'
+          category: ${{ matrix.flavor }}-grype
   build-core-uki:
     runs-on: ubuntu-latest
     permissions:

diff --git a/.github/workflows/reusable-build-flavor.yaml b/.github/workflows/reusable-build-flavor.yaml
@@ -135,14 +135,21 @@ jobs:
 
           sudo mv build/* .
           sudo rm -rf build
-          mkdir sarif
-          mv *.sarif sarif/
+          mkdir trivy-sarif grype-sarif
+          sudo mv release/*trivy.sarif trivy-sarif/
+          sudo mv release/*grype.sarif grype-sarif/
       - name: Upload Trivy scan results to GitHub Security tab
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
         uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
         with:
-          sarif_file: 'sarif'
-          category: ${{ inputs.flavor }}-${{ inputs.flavor_release }}
+          sarif_file: 'trivy-sarif'
+          category: ${{ inputs.flavor }}-${{ inputs.flavor_release }}-trivy
+      - name: Upload Grype scan results to GitHub Security tab
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
+        with:
+          sarif_file: 'grype-sarif'
+          category: ${{ inputs.flavor }}-${{ inputs.flavor_release }}-grype
       - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4
         with:
           name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip

diff --git a/.github/workflows/reusable-docker-arm-build.yaml b/.github/workflows/reusable-docker-arm-build.yaml
@@ -194,25 +194,21 @@ jobs:
       - name: Prepare sarif files  🔧
         if: startsWith(github.ref, 'refs/tags/v')
         run: |
-          mkdir sarif
-          sudo mv build/*.sarif sarif/
+          mkdir trivy-sarif grype-sarif
+          sudo mv build/*trivy.sarif trivy-sarif/
+          sudo mv build/*grype.sarif grype-sarif/
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
         if: startsWith(github.ref, 'refs/tags/v')
         with:
-          sarif_file: 'sarif'
-          category: ${{ matrix.flavor }}
-      - name: Prepare sarif files  🔧
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
-        run: |
-          mkdir sarif
-          sudo mv build/*.sarif sarif/
-      - name: Upload Trivy scan results to GitHub Security tab
+          sarif_file: 'trivy-sarif'
+          category: ${{ matrix.flavor }}-trivy
+      - name: Upload Grype scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+        if: startsWith(github.ref, 'refs/tags/v')
         with:
-          sarif_file: 'sarif'
-          category: ${{ inputs.flavor }}
+          sarif_file: 'grype-sarif'
+          category: ${{ matrix.flavor }}-grype
       - name: Upload results
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.model != 'nvidia-jetson-agx-orin' }}
         uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4