Skip to content

Commit b34c618

Browse files
yxtayyxtay
authored
ci(grype): fail-build-pr-only (#505)
* ci(grype): fail-build-pr-only * Update scans.yml * Update scans.yml * Update scans.yml * Update scans.yml * Update scans.yml * Update scans.yml * Update scans.yml
1 parent 4cc7df3 commit b34c618

File tree

1 file changed

+15
-9
lines changed

1 file changed

+15
-9
lines changed

.github/workflows/scans.yml

Lines changed: 15 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,8 @@ jobs:
2626
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
2727

2828
- uses: bridgecrewio/checkov-action@562029b35f14a3859b4cc88d4e5308c440867d5f # master
29+
with:
30+
soft_fail: ${{ github.event_name != 'pull_request' }}
2931

3032
- if: ${{ success() || failure() }}
3133
uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
@@ -59,6 +61,7 @@ jobs:
5961
with:
6062
image-path: ${{ github.sha }}
6163
output: clair_results.sarif
64+
return-code: ${{ github.event_name == 'pull_request' && 1 || 0 }}
6265
db-file: matcher.db
6366

6467
- if: ${{ success() || failure() }}
@@ -125,6 +128,7 @@ jobs:
125128
uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6
126129
with:
127130
path: .
131+
fail-build: ${{ github.event_name == 'pull_request' }}
128132
severity-cutoff: high
129133
only-fixed: true
130134

@@ -154,6 +158,7 @@ jobs:
154158
uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6
155159
with:
156160
image: ${{ env.IMAGE_ID }}
161+
fail-build: ${{ github.event_name == 'pull_request' }}
157162
severity-cutoff: high
158163
only-fixed: true
159164
env:
@@ -294,6 +299,7 @@ jobs:
294299
uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6
295300
with:
296301
sbom: "${{ github.event.repository.name }}-sbom.spdx.json"
302+
fail-build: ${{ github.event_name == 'pull_request' }}
297303
severity-cutoff: high
298304
only-fixed: true
299305

@@ -314,20 +320,20 @@ jobs:
314320
- uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.30
315321
with:
316322
scan-type: fs
317-
ignore-unfixed: true
318-
severity: HIGH,CRITICAL
319323
format: github
320324
output: dependency-results.sbom.json
321325
github-pat: ${{ github.token }}
322326

323327
- uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.30
324328
with:
325329
scan-type: fs
326-
ignore-unfixed: true
327-
severity: HIGH,CRITICAL
328330
format: sarif
329331
output: trivy-results.sarif
332+
exit-code: ${{ github.event_name == 'pull_request' && 1 || 0}}
333+
ignore-unfixed: true
334+
severity: HIGH,CRITICAL
330335
scanners: vuln,secret,misconfig
336+
skip-setup-trivy: true
331337

332338
- uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
333339
with:
@@ -354,19 +360,19 @@ jobs:
354360
- uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.30
355361
with:
356362
image-ref: ${{ steps.build.outputs.imageid }}
357-
ignore-unfixed: true
358-
severity: HIGH,CRITICAL
359363
format: github
360364
output: dependency-results.sbom.json
361365
github-pat: ${{ github.token }}
362366

363367
- uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.30
364368
with:
365369
image-ref: ${{ steps.build.outputs.imageid }}
366-
ignore-unfixed: true
367-
severity: HIGH,CRITICAL
368370
format: sarif
369371
output: trivy-results.sarif
372+
exit-code: ${{ github.event_name == 'pull_request' && 1 || 0}}
373+
ignore-unfixed: true
374+
severity: HIGH,CRITICAL
375+
skip-setup-trivy: true
370376

371377
- uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
372378
with:
@@ -435,4 +441,4 @@ jobs:
435441
source_path: ${{ steps.changed-files.outputs.all_changed_files }}
436442
reporter: github-pr-check
437443
filter_mode: file
438-
fail_on_error: true
444+
fail_on_error: ${{ github.event_name == 'pull_request' }}

0 commit comments

Comments
 (0)