fix: docker workflow security upload (#1951)

* Fix artifact upload paths for CodeQL and SBOM results

- Correct CodeQL SARIF path from **/results to ../results (relative to workspace)
- Add fallback path for SBOM to handle different generation locations
- This should resolve the 'No files were found' warnings for artifacts

* Test commit to trigger Security Analysis workflow with fixed artifact paths

* Update docker.yaml

* Update security.yaml

* Update security.yaml

Author: Stijnus

.github/workflows/docker.yaml

@@ -61,18 +61,6 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ env.REGISTRY }}/${{ steps.image.outputs.name }}:${{ steps.meta.outputs.version }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-
-      - name: Upload Trivy scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: 'trivy-results.sarif'
 
       - name: Check manifest
         run: docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ steps.image.outputs.name }}:${{ steps.meta.outputs.version }}

.github/workflows/security.yaml

@@ -18,7 +18,7 @@ jobs:
   codeql:
     name: CodeQL Analysis
     runs-on: ubuntu-latest
-    timeout-minutes: 360
+    timeout-minutes: 45
 
     strategy:
       fail-fast: false
@@ -35,23 +35,22 @@ jobs:
           languages: ${{ matrix.language }}
           queries: security-extended,security-and-quality
 
-      - name: Setup and Build
-        uses: ./.github/actions/setup-and-build
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
         with:
           category: "/language:${{matrix.language}}"
           upload: false
+          output: "codeql-results"
 
       - name: Upload CodeQL results as artifact
         uses: actions/upload-artifact@v4
         if: always()
         with:
           name: codeql-results-${{ matrix.language }}
-          path: |
-            **/results/**/*.sarif
-            **/results/**/*.sarif.json
+          path: codeql-results
 
   dependency-scan:
     name: Dependency Vulnerability Scan
@@ -90,7 +89,9 @@ jobs:
         if: always()
         with:
           name: sbom-results
-          path: sbom.spdx.json
+          path: |
+            sbom.spdx.json
+            **/sbom.spdx.json
 
   secrets-scan:
     name: Secrets Detection

README.md

@@ -366,3 +366,4 @@ For answers to common questions, issues, and to see a list of recommended models
 **Who needs a commercial WebContainer API license?**
 
 bolt.diy source code is distributed as MIT, but it uses WebContainers API that [requires licensing](https://webcontainers.io/enterprise) for production usage in a commercial, for-profit setting. (Prototypes or POCs do not require a commercial license.) If you're using the API to meet the needs of your customers, prospective customers, and/or employees, you need a license to ensure compliance with our Terms of Service. Usage of the API in violation of these terms may result in your access being revoked.
+# Test commit to trigger Security Analysis workflow