@@ -115,17 +115,6 @@ jobs:
115115 make -j "$image_job"
116116 echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
117117
118- name : Build Coder linux amd64 Docker image (ironbank)
119- id : build-ironbank
120- run : |
121- set -euo pipefail
122- # NOTE: This is not a real image tag we publish.
123- image_tag="${{ steps.build.outputs.image }}-ironbank"
124- ./scripts/ironbank/build_ironbank.sh \
125- --target "$image_tag" \
126- "build/coder_$(./scripts/version.sh)_linux_amd64"
127- echo "image=$image_tag" >> $GITHUB_OUTPUT
128-
129118name : Run Trivy vulnerability scanner
130119 uses : aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
131120 with :
@@ -140,34 +129,9 @@ jobs:
140129 sarif_file : trivy-results.sarif
141130 category : " Trivy"
142131
143- - name : Run Trivy vulnerability scanner (ironbank)
144- uses : aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
145- with :
146- image-ref : ${{ steps.build-ironbank.outputs.image }}
147- format : sarif
148- output : trivy-results-ironbank.sarif
149- severity : " CRITICAL,HIGH"
150-
151- # Update the tool name field in the ironbank SARIF file so it's not
152- # indistinguishable from findings in the non-ironbank SARIF file in the
153- # GitHub UI. Without this, findings from both scans would show up as
154- # "Trivy".
155- - name : Update tool name in SARIF file (ironbank)
156- run : |
157- set -euo pipefail
158- yq eval -i '.runs[0].tool.driver.name = "Trivy Ironbank"' trivy-results-ironbank.sarif
159-
160- name : Upload Trivy scan results to GitHub Security tab (ironbank)
161- uses : github/codeql-action/upload-sarif@v2
162- with :
163- sarif_file : trivy-results-ironbank.sarif
164- category : " Trivy Ironbank"
165-
166132 - name : Upload Trivy scan results as an artifact
167133 uses : actions/upload-artifact@v2
168134 with :
169135 name : trivy
170- path : |
171- trivy-results.sarif
172- trivy-results-ironbank.sarif
136+ path : trivy-results.sarif
173137 retention-days : 7
0 commit comments