chore(docker-build-push): use trivy convert to generate multiple formats

egose · Oct 24, 2024 · 876bd48 · 876bd48
1 parent 746e217
commit 876bd48
Showing 1 changed file with 15 additions and 8 deletions.
diff --git a/docker-build-push/action.yml b/docker-build-push/action.yml
@@ -38,7 +38,7 @@ runs:
   using: composite
   steps:
   - name: Log in to Docker Container Registry
-    # see https://github.com/docker/login-action/commit/f4ef78c080cd8ba55a85445d5b36e214a81df20a
+    # See https://github.com/docker/login-action/commits/master/
     uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
     with:
       registry: ${{ inputs.registry-url }}
@@ -47,15 +47,15 @@ runs:
 
   - name: Extract metadata
     id: meta
-    # see https://github.com/docker/metadata-action/commit/507c2f2dc502c992ad446e3d7a5dfbe311567a96
+    # See https://github.com/docker/metadata-action/commits/master/
     uses: docker/metadata-action@60a0d343a0d8a18aedee9d34e62251f752153bdb
     with:
       images: ${{ inputs.registry-url }}/${{ inputs.image-name }}
       tags: ${{ inputs.metadata-tags }}
       labels: ${{ inputs.metadata-labels }}
 
   - name: Set up Docker Buildx
-    # see https://github.com/docker/setup-buildx-action/commit/f03ac48505955848960e80bbb68046aa35c7b9e7
+    # See https://github.com/docker/setup-buildx-action/commits/master/
     uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
 
   - name: Set Environment variables
@@ -64,17 +64,17 @@ runs:
       echo "DOCKER_LAYERS_PATH=${DOCKER_LAYERS_PATH}" >> $GITHUB_ENV
     shell: bash
 
-    # see https://github.com/docker/build-push-action/issues/252#issuecomment-744400434
+    # See https://github.com/docker/build-push-action/issues/252#issuecomment-744400434
   - name: Cache Docker layers
-    # see https://github.com/actions/cache/commit/69d9d449aced6a2ede0bc19182fadc3a0a42d2b0
+    # See https://github.com/actions/cache/commits/main/
     uses: actions/cache@81382a721fc89d96eca335d0c3ba33144b2baa9d
     with:
       path: ${{ env.DOCKER_LAYERS_PATH }}
       key: ${{ runner.os }}-buildx-${{ inputs.image-name }}-${{ github.sha }}
       restore-keys: ${{ runner.os }}-buildx-${{ inputs.image-name }}
 
   - name: Build and push Docker image
-    # see https://github.com/docker/build-push-action/commit/3b5e8027fcad23fda98b2e3ac259d8d67585f671
+    # See https://github.com/docker/build-push-action/commits/master/
     uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85
     with:
       context: ${{ inputs.docker-context }}
@@ -95,14 +95,21 @@ runs:
 
   - name: Run Trivy vulnerability scanner
     if: ${{ inputs.trivy == 'true' }}
+    # See https://github.com/aquasecurity/trivy-action/commits/master/
     uses: aquasecurity/trivy-action@cf990b19d84bbbe1eb8833659989a7c1029132e3
     with:
       image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
-      format: sarif
-      output: trivy-results.sarif
+      format: json
+      output: trivy-results.json
+
+  - name: Convert Trivy JSON report into sarif
+    run: |
+      trivy convert --format sarif --output trivy-results.sarif result.json
+    shell: bash
 
   - name: Upload Trivy scan results to GitHub Security tab
     if: ${{ inputs.trivy == 'true' }}
+    # See https://github.com/github/codeql-action/commits/main/
     uses: github/codeql-action/upload-sarif@467d7e6d9e138cb28eeebd638e6f0dbab1fd435e
     with:
       sarif_file: trivy-results.sarif