fix(ci): cves are not closed in code scanning alerts (#892)

* fix(ci): cves are not closed in code scanning alerts

* f

* f

* f

* f

* f

Author: emosbaugh

.github/actions/scan-image/action.yml

@@ -12,6 +12,13 @@ inputs:
 runs:
   using: composite
   steps:
+    - name: Get image id
+      id: image-id
+      shell: bash
+      run: |
+        image_id=$(${{github.action_path}}/image_id.sh '${{ inputs.image-ref }}')
+        echo "image_id=$image_id" >> $GITHUB_OUTPUT
+
     - name: Scan image
       uses: aquasecurity/[email protected]
       with:
@@ -35,3 +42,4 @@ runs:
       uses: github/codeql-action/upload-sarif@v3
       with:
         sarif_file: trivy-results.sarif
+        category: 'image-scan:${{ steps.image-id.outputs.image_id }}'

.github/actions/scan-image/image_id.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+if [ "$#" -ne 1 ] || [ "$1" == "" ] || [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
+    echo "Usage: $0 <image_id>"
+    exit 1
+fi
+
+image_id="$1"
+image_id=$(echo "$image_id" | cut -d'@' -f1) # remove digest
+# make sure if there is only one colon it is not the port
+if ! echo "$image_id" | rev | cut -d':' -f1 | rev | grep -q '/' ; then
+    image_id=$(echo "$image_id" | rev | cut -d':' -f2- | rev) # remove tag
+fi
+
+echo -n "$image_id"