Description
The request
As another step towards reducing load on the rate limiting - could you provide an action output that we could use like result=fail. This would be decoupled completely from exit code (for which the behavior would remain the same as it is today, depending on the exit-code flag)
The background
To explain where this would be useful - our typical flow up to now has been to run Trivy twice in a workflow
- once to produce the nice readable table view (with exit-code 1) so engineers can see the feedback direct in the workflow if it should fail a scan and we can "break the build"
- then immediately again (
if: always())to get in SARIF format for upload to GHAS
What would an output solve?
Mainly that we can just start to use convert instead of a second run whilst presenting a workflow output that is easy and obvious to an engineer to see their results in a workflow when it fails.
To do this now in a less obvious format for the consumer of the workflow I have something like:
- name: Trivy Image Scan
id: scan
uses: aquasecurity/[email protected]
with:
image-ref: some-image
exit-code: 1
format: json
output: "report.json"
- name: Setup trivy for SARIF
if: always()
uses: aquasecurity/[email protected]
- name: Convert to SARIF
if: always()
run: |
trivy convert --format=sarif --output="results.sarif" "results.json"
- name: Upload results to GitHub Security
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "results.sarif"
- name: View readable report
if: steps.scan.outcome == 'failure'
run: |
trivy convert --format=table results.json && exit 1The problems with this are:
- there will be two failed steps. One of which is the original scan step with no output because its written to file (confusing to engineer and they may assume it was a runtime error) and then a second step further down the job log to find the actual results in a readable format.
- I cannot trigger the readable report without also failing the scan step
- Its all a lot of faff :)
What would the solution look like
- name: Trivy Image Scan
id: scan
uses: aquasecurity/[email protected]
with:
image-ref: some-image
exit-code: 0 <<<------ engineer will not look here
format: json
output: "report.json"
- name: Setup trivy for SARIF
if: always()
uses: aquasecurity/[email protected]
- name: Convert to SARIF
if: always()
run: |
trivy convert --format=sarif --output="results.sarif" "results.json"
- name: Upload results to GitHub Security
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
- name: View results
if: steps.scan.outputs.result == 'fail'
run: |
trivy convert --format=table "results.json && exit 1 <<<----- nice obvious end of job view if there are failuresSo now the workflow output makes total sense to a consumer when there are findings, you get less requests for the DB because we arent running it twice.
Alternative suggestions
Adding the convert command to the action which would also be nice - but I suspect much more work than a simple addition of an output?
Allow multiple outputs in a single execution - but you guys already rejected that many times and is the reason you added the excellent convert command :)
Add a upload-sarif flag and you handle the creation of and upload of the sarif directly in the initial execution - also a lot more work but would be nice
You could go bananas with outputs like total-findings, critical-findings, high-findings etc etc