Skip to content

Commit 49b0122

Browse files
david-waltermiredavid-waltermire
committed
fix: address CodeRabbit nitpicks
- Rename "Security" column to "Sec-Sev" for clarity - Increase message truncation from 80 to 120 characters - Remove ineffective trivy:ignore:DS029 before FROM statements - Add explanatory comments to remaining DS029 ignores - Clean up apt cache in builder stage
1 parent d1adfbe commit 49b0122

File tree

3 files changed

+7
-9
lines changed

3 files changed

+7
-9
lines changed

.github/workflows/build.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -171,15 +171,15 @@ jobs:
171171
echo "<details>" >> $GITHUB_STEP_SUMMARY
172172
echo "<summary>View $RESULTS finding(s)</summary>" >> $GITHUB_STEP_SUMMARY
173173
echo "" >> $GITHUB_STEP_SUMMARY
174-
echo "| Level | Security | Rule | Location | Message |" >> $GITHUB_STEP_SUMMARY
175-
echo "|-------|----------|------|----------|---------|" >> $GITHUB_STEP_SUMMARY
174+
echo "| Level | Sec-Sev | Rule | Location | Message |" >> $GITHUB_STEP_SUMMARY
175+
echo "|-------|---------|------|----------|---------|" >> $GITHUB_STEP_SUMMARY
176176
# Join results with rules to get security-severity (which is on rule definitions, not results)
177177
jq -r '
178178
(.runs[0].tool.driver.rules // []) as $driver_rules |
179179
([.runs[0].tool.extensions[]?.rules // []] | add // []) as $ext_rules |
180180
($driver_rules + $ext_rules | map({(.id): (.properties["security-severity"] // null)}) | add // {}) as $severities |
181181
.runs[0].results[] |
182-
"| \(.level // "warning") | \($severities[.ruleId] // "N/A") | \(.ruleId // "unknown") | `\(.locations[0].physicalLocation.artifactLocation.uri // "unknown"):\(.locations[0].physicalLocation.region.startLine // "?")` | \(.message.text | gsub("\n"; " ") | gsub("\\|"; "\\\\|") | .[0:80]) |"
182+
"| \(.level // "warning") | \($severities[.ruleId] // "N/A") | \(.ruleId // "unknown") | `\(.locations[0].physicalLocation.artifactLocation.uri // "unknown"):\(.locations[0].physicalLocation.region.startLine // "?")` | \(.message.text | gsub("\n"; " ") | gsub("\\|"; "\\\\|") | .[0:120]) |"
183183
' "$sarif" >> $GITHUB_STEP_SUMMARY
184184
echo "" >> $GITHUB_STEP_SUMMARY
185185
echo "</details>" >> $GITHUB_STEP_SUMMARY

Dockerfile.ci

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,9 @@ ARG BUILDER_IMAGE=maven:3.9.9-eclipse-temurin-17
44
ARG RUNNER_IMAGE=eclipse-temurin:17
55

66
# Builder stage runs as root; runner stage uses non-root user
7-
# trivy:ignore:DS029
87
FROM ${BUILDER_IMAGE} AS builder
9-
# trivy:ignore:DS029
10-
RUN apt-get update && apt-get install -y unzip
8+
# trivy:ignore:DS029 - Builder stage requires root for system package installation
9+
RUN apt-get update && apt-get install -y unzip && rm -rf /var/lib/apt/lists/*
1110
COPY ./target/*oscal-cli.zip /tmp/oscal-cli.zip
1211
WORKDIR /tmp
1312
RUN unzip /tmp/oscal-cli.zip -d /opt/oscal-cli

Dockerfile.local

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,15 +4,14 @@ ARG BUILDER_IMAGE=maven:3.9.9-eclipse-temurin-17
44
ARG RUNNER_IMAGE=eclipse-temurin:17
55

66
# Builder stage runs as root; runner stage uses non-root user
7-
# trivy:ignore:DS029
87
FROM ${BUILDER_IMAGE} AS builder
98
ARG BUILDER_JDK_VENDOR=temurin
109
ARG BUILDER_JDK_MAJOR_VERSION=17
1110
ARG BUILDER_JDK_HOME_PATH=/opt/java/openjdk
1211
COPY . /usr/local/src
1312
WORKDIR /usr/local/src
14-
# trivy:ignore:DS029
15-
RUN apt-get update && apt-get install -y unzip
13+
# trivy:ignore:DS029 - Builder stage requires root for system package installation
14+
RUN apt-get update && apt-get install -y unzip && rm -rf /var/lib/apt/lists/*
1615
RUN <<EOF
1716
mkdir -p /root/.m2
1817
cat > /root/.m2/toolchains.xml << XMLEOF

0 commit comments

Comments
 (0)