refactor: [#251] separate SARIF upload to dedicated job with minimal permissions

josecelano · josecelano · commit 382f4305feb5 · 2025-12-23T18:42:51.000Z
- Scan jobs now upload SARIF files as artifacts
- New dedicated upload-sarif-results job with only security-events:write permission
- Display steps show all security issues (CVEs + secrets) for visibility
- Scan steps only fail on HIGH/CRITICAL CVE vulnerabilities
diff --git a/.github/workflows/docker-security-scan.yml b/.github/workflows/docker-security-scan.yml
@@ -23,6 +23,8 @@ jobs:
     name: Scan Project-Built Docker Images
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -61,16 +63,20 @@ jobs:
           exit-code: "1"
           scanners: "vuln" # Only vulnerabilities, skip secrets (test containers have legitimate SSH keys)
 
-      - name: Upload Trivy results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v4
+      - name: Upload SARIF artifact
+        uses: actions/upload-artifact@v4
         if: always()
         with:
-          sarif_file: "trivy-results-${{ matrix.image.name }}.sarif"
+          name: sarif-project-${{ matrix.image.name }}
+          path: "trivy-results-${{ matrix.image.name }}.sarif"
+          retention-days: 30
 
   scan-third-party-images:
     name: Scan Third-Party Docker Images
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -100,8 +106,30 @@ jobs:
           exit-code: "1"
           scanners: "vuln" # Focus on CVEs, not secrets
 
-      - name: Upload Trivy results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v4
+      - name: Upload SARIF artifact
+        uses: actions/upload-artifact@v4
         if: always()
         with:
-          sarif_file: "trivy-results.sarif"
+          name: sarif-third-party-${{ matrix.image }}
+          path: "trivy-results.sarif"
+          retention-days: 30
+
+  upload-sarif-results:
+    name: Upload SARIF Results to GitHub Security
+    runs-on: ubuntu-latest
+    needs: [scan-project-images, scan-third-party-images]
+    if: always()
+    permissions:
+      security-events: write
+    steps:
+      - name: Download all SARIF artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: sarif-*
+          merge-multiple: false
+
+      - name: Upload SARIF files to GitHub Security
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: "."
+          category: "docker-security-scan"
