feat(docker-build): add security report option and upload step (#37)

TartanLeGrand · web-flow · commit 5d6d470b30eb · 2025-04-24T18:44:28.000+02:00
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -19,6 +19,10 @@ on:
         description: 'Enable Security Scan'
         default: true
         type: boolean
+      security-report:
+        description: 'Enable Security Report'
+        default: 'sarif'
+        type: string
       hadolint:
         description: 'Enable Hadolint'
         default: true
@@ -100,7 +104,7 @@ jobs:
 
       - name: Update Pull Request with Security Scan Results
         uses: actions/github-script@v7
-        if: github.event_name == 'pull_request' && inputs.security-scan
+        if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'comment'
         with:
           script: |
             const fs = require('fs');
@@ -123,6 +127,12 @@ jobs:
               body: output
             });
 
+      - name: Upload Trivy scan results to GitHub Security tab
+        if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'sarif'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
       - name: Update Pull Request with Hadolint Results
         uses: actions/github-script@v7
         if: github.event_name == 'pull_request' && inputs.hadolint
