Skip to content

Commit d1adfbe

Browse files
david-waltermiredavid-waltermire
committed
fix: address CodeRabbit nitpicks
- Replace ADD with COPY in Dockerfile.local (Docker best practice) - Add security-severity column to CodeQL findings table for better visibility when findings trigger build failures
1 parent bd793e9 commit d1adfbe

File tree

2 files changed

+11
-5
lines changed

2 files changed

+11
-5
lines changed

.github/workflows/build.yml

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -171,9 +171,16 @@ jobs:
171171
echo "<details>" >> $GITHUB_STEP_SUMMARY
172172
echo "<summary>View $RESULTS finding(s)</summary>" >> $GITHUB_STEP_SUMMARY
173173
echo "" >> $GITHUB_STEP_SUMMARY
174-
echo "| Severity | Rule | Location | Message |" >> $GITHUB_STEP_SUMMARY
175-
echo "|----------|------|----------|---------|" >> $GITHUB_STEP_SUMMARY
176-
jq -r '.runs[0].results[] | "| \(.level // "warning") | \(.ruleId // "unknown") | `\(.locations[0].physicalLocation.artifactLocation.uri // "unknown"):\(.locations[0].physicalLocation.region.startLine // "?")` | \(.message.text | gsub("\n"; " ") | gsub("\\|"; "\\\\|") | .[0:80]) |"' "$sarif" >> $GITHUB_STEP_SUMMARY
174+
echo "| Level | Security | Rule | Location | Message |" >> $GITHUB_STEP_SUMMARY
175+
echo "|-------|----------|------|----------|---------|" >> $GITHUB_STEP_SUMMARY
176+
# Join results with rules to get security-severity (which is on rule definitions, not results)
177+
jq -r '
178+
(.runs[0].tool.driver.rules // []) as $driver_rules |
179+
([.runs[0].tool.extensions[]?.rules // []] | add // []) as $ext_rules |
180+
($driver_rules + $ext_rules | map({(.id): (.properties["security-severity"] // null)}) | add // {}) as $severities |
181+
.runs[0].results[] |
182+
"| \(.level // "warning") | \($severities[.ruleId] // "N/A") | \(.ruleId // "unknown") | `\(.locations[0].physicalLocation.artifactLocation.uri // "unknown"):\(.locations[0].physicalLocation.region.startLine // "?")` | \(.message.text | gsub("\n"; " ") | gsub("\\|"; "\\\\|") | .[0:80]) |"
183+
' "$sarif" >> $GITHUB_STEP_SUMMARY
177184
echo "" >> $GITHUB_STEP_SUMMARY
178185
echo "</details>" >> $GITHUB_STEP_SUMMARY
179186
fi

Dockerfile.local

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,7 @@ FROM ${BUILDER_IMAGE} AS builder
99
ARG BUILDER_JDK_VENDOR=temurin
1010
ARG BUILDER_JDK_MAJOR_VERSION=17
1111
ARG BUILDER_JDK_HOME_PATH=/opt/java/openjdk
12-
# trivy:ignore:DS005 - ADD used intentionally to copy entire build context
13-
ADD . /usr/local/src
12+
COPY . /usr/local/src
1413
WORKDIR /usr/local/src
1514
# trivy:ignore:DS029
1615
RUN apt-get update && apt-get install -y unzip

0 commit comments

Comments
 (0)