From f78ad12d53dc4bdfe3e0734b4846be8dcf59388f Mon Sep 17 00:00:00 2001
From: Dimitris Karakasilis <dimitris@karakasilis.me>
Date: Mon, 16 Sep 2024 10:30:16 +0300
Subject: [PATCH] Split the uploading of trivy and grype results (#2860)

as suggested here:

https://github.com/github/codeql-action/issues/2476#issuecomment-2350277932

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>
---
 .github/workflows/release-arm.yaml            | 31 +++++++++++++------
 .github/workflows/release.yaml                | 15 ++++++---
 .github/workflows/reusable-build-flavor.yaml  | 15 ++++++---
 .../workflows/reusable-docker-arm-build.yaml  | 22 ++++++-------
 4 files changed, 53 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml
index e6f330269..d6f0a6e48 100644
--- a/.github/workflows/release-arm.yaml
+++ b/.github/workflows/release-arm.yaml
@@ -294,15 +294,21 @@ jobs:
             build/*scan-reports.tar.gz
       - name: Prepare sarif files  🔧
         run: |
-          mkdir sarif
-          sudo mv build/*.sarif sarif/
+          mkdir trivy-sarif grype-sarif
+          sudo mv build/*trivy.sarif trivy-sarif/
+          sudo mv build/*grype.sarif grype-sarif/
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
         if: startsWith(github.ref, 'refs/tags/')
         with:
-          sarif_file: 'sarif'
-          category: ${{ matrix.flavor }}
-
+          sarif_file: 'trivy-sarif'
+          category: ${{ matrix.flavor }}-trivy
+      - name: Upload Grype scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          sarif_file: 'grype-sarif'
+          category: ${{ matrix.flavor }}-grype
   build-arm-standard:
     runs-on: ARM64
     needs:
@@ -395,14 +401,21 @@ jobs:
             build/*scan-reports.tar.gz
       - name: Prepare sarif files  🔧
         run: |
-          mkdir sarif
-          sudo mv build/*.sarif sarif/
+          mkdir trivy-sarif grype-sarif
+          sudo mv build/*trivy.sarif trivy-sarif/
+          sudo mv build/*grype.sarif grype-sarif/
       - name: Upload Trivy scan results to GitHub Security tab
         if: startsWith(github.ref, 'refs/tags/')
         uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
         with:
-          sarif_file: 'sarif'
-          category: ${{ matrix.flavor }}
+          sarif_file: 'trivy-sarif'
+          category: ${{ matrix.flavor }}-trivy
+      - name: Upload Grype scan results to GitHub Security tab
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
+        with:
+          sarif_file: 'grype-sarif'
+          category: ${{ matrix.flavor }}-grype
       - name: Space stats
         if: always()
         run: |
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 8f5732fca..d37343907 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -193,8 +193,9 @@ jobs:
                           --output-signature="${filename}.sig" "${filename}"
       - name: Prepare files for release
         run: |
-          mkdir sarif
-          mv release/*.sarif sarif/
+          mkdir trivy-sarif grype-sarif
+          sudo mv release/*trivy.sarif trivy-sarif/
+          sudo mv release/*grype.sarif grype-sarif/
           mkdir reports
           mv release/*.json reports/
           cd reports
@@ -213,8 +214,14 @@ jobs:
         uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
         if: startsWith(github.ref, 'refs/tags/')
         with:
-          sarif_file: 'sarif'
-          category: ${{ matrix.flavor }}
+          sarif_file: 'trivy-sarif'
+          category: ${{ matrix.flavor }}-trivy
+      - name: Upload Grype scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          sarif_file: 'grype-sarif'
+          category: ${{ matrix.flavor }}-grype
   build-core-uki:
     runs-on: ubuntu-latest
     permissions:
diff --git a/.github/workflows/reusable-build-flavor.yaml b/.github/workflows/reusable-build-flavor.yaml
index 2231f18a3..ec9023e59 100644
--- a/.github/workflows/reusable-build-flavor.yaml
+++ b/.github/workflows/reusable-build-flavor.yaml
@@ -135,14 +135,21 @@ jobs:
 
           sudo mv build/* .
           sudo rm -rf build
-          mkdir sarif
-          mv *.sarif sarif/
+          mkdir trivy-sarif grype-sarif
+          sudo mv release/*trivy.sarif trivy-sarif/
+          sudo mv release/*grype.sarif grype-sarif/
       - name: Upload Trivy scan results to GitHub Security tab
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
         uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
         with:
-          sarif_file: 'sarif'
-          category: ${{ inputs.flavor }}-${{ inputs.flavor_release }}
+          sarif_file: 'trivy-sarif'
+          category: ${{ inputs.flavor }}-${{ inputs.flavor_release }}-trivy
+      - name: Upload Grype scan results to GitHub Security tab
+        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
+        with:
+          sarif_file: 'grype-sarif'
+          category: ${{ inputs.flavor }}-${{ inputs.flavor_release }}-grype
       - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4
         with:
           name: kairos-${{ inputs.flavor }}-${{ inputs.flavor_release }}.iso.zip
diff --git a/.github/workflows/reusable-docker-arm-build.yaml b/.github/workflows/reusable-docker-arm-build.yaml
index 76105d673..888c52d82 100644
--- a/.github/workflows/reusable-docker-arm-build.yaml
+++ b/.github/workflows/reusable-docker-arm-build.yaml
@@ -194,25 +194,21 @@ jobs:
       - name: Prepare sarif files  🔧
         if: startsWith(github.ref, 'refs/tags/v')
         run: |
-          mkdir sarif
-          sudo mv build/*.sarif sarif/
+          mkdir trivy-sarif grype-sarif
+          sudo mv build/*trivy.sarif trivy-sarif/
+          sudo mv build/*grype.sarif grype-sarif/
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
         if: startsWith(github.ref, 'refs/tags/v')
         with:
-          sarif_file: 'sarif'
-          category: ${{ matrix.flavor }}
-      - name: Prepare sarif files  🔧
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
-        run: |
-          mkdir sarif
-          sudo mv build/*.sarif sarif/
-      - name: Upload Trivy scan results to GitHub Security tab
+          sarif_file: 'trivy-sarif'
+          category: ${{ matrix.flavor }}-trivy
+      - name: Upload Grype scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3
-        if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+        if: startsWith(github.ref, 'refs/tags/v')
         with:
-          sarif_file: 'sarif'
-          category: ${{ inputs.flavor }}
+          sarif_file: 'grype-sarif'
+          category: ${{ matrix.flavor }}-grype
       - name: Upload results
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && inputs.model != 'nvidia-jetson-agx-orin' }}
         uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4