@@ -159,22 +159,53 @@ jobs:
159159 with :
160160 pattern : sarif-*-${{ github.run_id }}
161161
162- # We use gh CLI because it’s easier to loop
163- # and assign stable categories per image
164- - name : Upload SARIF files
165- env :
166- GH_TOKEN : ${{ github.token }}
167- run : |
168- find . -name "*.sarif" -type f | while read -r sarif; do
169- category=$(basename "$(dirname "$sarif")" | sed 's/^sarif-//' | sed 's/-[0-9]*$//')
170- echo "Uploading $sarif as docker-$category"
171-
172- gh api \
173- --method POST \
174- -H "Accept: application/vnd.github+json" \
175- /repos/${{ github.repository }}/code-scanning/sarifs \
176- -f sarif=@-"$sarif" \
177- -f ref="${{ github.ref }}" \
178- -f commit_sha="${{ github.sha }}" \
179- -f category="docker-$category" || echo "Upload failed for $sarif"
180- done
162+ # Upload each SARIF file with CodeQL Action using unique categories.
163+ # The category parameter enables proper alert tracking per image.
164+ # Must use CodeQL Action (not gh API) - API doesn't support category field.
165+ - name : Upload project provisioned-instance SARIF
166+ if : always()
167+ uses : github/codeql-action/upload-sarif@v4
168+ with :
169+ sarif_file : sarif-project-provisioned-instance-${{ github.run_id }}/trivy-provisioned-instance.sarif
170+ category : docker-project-provisioned-instance
171+ continue-on-error : true
172+
173+ - name : Upload project ssh-server SARIF
174+ if : always()
175+ uses : github/codeql-action/upload-sarif@v4
176+ with :
177+ sarif_file : sarif-project-ssh-server-${{ github.run_id }}/trivy-ssh-server.sarif
178+ category : docker-project-ssh-server
179+ continue-on-error : true
180+
181+ - name : Upload third-party mysql SARIF
182+ if : always()
183+ uses : github/codeql-action/upload-sarif@v4
184+ with :
185+ sarif_file : sarif-third-party-mysql-8.0-${{ github.run_id }}/trivy.sarif
186+ category : docker-third-party-mysql-8.0
187+ continue-on-error : true
188+
189+ - name : Upload third-party tracker SARIF
190+ if : always()
191+ uses : github/codeql-action/upload-sarif@v4
192+ with :
193+ sarif_file : sarif-third-party-torrust-tracker-develop-${{ github.run_id }}/trivy.sarif
194+ category : docker-third-party-torrust-tracker-develop
195+ continue-on-error : true
196+
197+ - name : Upload third-party grafana SARIF
198+ if : always()
199+ uses : github/codeql-action/upload-sarif@v4
200+ with :
201+ sarif_file : sarif-third-party-grafana-grafana-11.4.0-${{ github.run_id }}/trivy.sarif
202+ category : docker-third-party-grafana-grafana-11.4.0
203+ continue-on-error : true
204+
205+ - name : Upload third-party prometheus SARIF
206+ if : always()
207+ uses : github/codeql-action/upload-sarif@v4
208+ with :
209+ sarif_file : sarif-third-party-prom-prometheus-v3.0.1-${{ github.run_id }}/trivy.sarif
210+ category : docker-third-party-prom-prometheus-v3.0.1
211+ continue-on-error : true
0 commit comments