Skip to content

ci(security-scan): surface Trivy findings in the run log (no more opaque exit 1)#371

Closed
seonghobae wants to merge 1 commit into
mainfrom
fix/trivy-reason-logging
Closed

ci(security-scan): surface Trivy findings in the run log (no more opaque exit 1)#371
seonghobae wants to merge 1 commit into
mainfrom
fix/trivy-reason-logging

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Why

The central trivy-fs gate runs with format: sarif + exit-code: "1". When Trivy finds a CRITICAL/HIGH issue it exits non-zero, but because output goes only to the SARIF file the job log shows just Process completed with exit code 1 — no package, no CVE, no misconfig id. A human (or another agent) reading the run cannot tell why the required gate failed.

This was hit for real on ContextualWisdomLab/pg-llm-batch PR #1: the failing run logged only exit code 1; the actual cause (DS-0002 (HIGH) — missing non-root USER in two Dockerfiles) was invisible until the SARIF was reconstructed by hand.

What

Add a Report Trivy findings (reason this gate failed) step that renders the already-produced trivy-results.sarif as a human-readable table:

  • primary: trivy convert --format table trivy-results.sarif (the trivy binary is already on PATH from setup-trivy)
  • fallback: jq that prints [level] ruleId security-severity=… file: message per finding

No re-scan (reuses the SARIF the gate already wrote), always()-guarded so it prints on pass and fail, and it does not change the gate result. Satisfies the "every failure must show its reason in the log" requirement.

Verified: jq fallback tested against a real Trivy 0.70.0 SARIF →
- [error] DS-0002 security-severity=8.0 Dockerfile: …. YAML parses clean.

🤖 Generated with Claude Code

…il shows its reason

The trivy-fs gate runs with format:sarif + exit-code:1, so when it blocks a PR
the job log shows only "exit code 1" with no finding. Add a step that renders
the produced trivy-results.sarif as a human-readable table (trivy convert, jq
fallback) so a person reading the run log sees the exact package/CVE/misconfig,
severity, file, and fixed version that failed the gate. No re-scan; reuses the
SARIF already produced. always()-guarded so it also prints on success.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RTAMs4bpSZS77Xe3RQjv9P
@seonghobae

Copy link
Copy Markdown
Contributor Author

Superseded by #382 and the newer Trivy SARIF-to-log implementation folded into that branch.

@seonghobae seonghobae closed this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant