Skip to content

ci(security-scan): make trivy-fs print the finding on failure#373

Closed
seonghobae wants to merge 1 commit into
mainfrom
fix/trivy-fs-reason-logging
Closed

ci(security-scan): make trivy-fs print the finding on failure#373
seonghobae wants to merge 1 commit into
mainfrom
fix/trivy-fs-reason-logging

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Problem (grounded in real run logs)

The central required trivy-fs gate runs with format: sarif + exit-code: "1". When it fails, the run log shows only:

##[error]Process completed with exit code 1.

The actual finding goes to trivy-results.sarif and is never printed to the log — a human cannot see WHY the required workflow blocked the PR.

Verified on ContextualWisdomLab/aFIPC PRs #108 / #111 / #115 / #117 (run 28911486111, job 85769621932): the opaque failure is a HIGH AsymmetricPrivateKey secret in the vendored file packrat/lib/.../openssl/doc/keys.html (an upstream openssl doc example key — a verified false positive already scoped-suppressed on aFIPC master via #116). Nothing in the log said so.

Fix

  • Trivy step now writes SARIF with exit-code: "0" (produce results, don't fail here).
  • SARIF upload to code scanning is unchanged.
  • New Report Trivy findings and gate step parses the SARIF, prints each FIXABLE CRITICAL/HIGH finding — rule / severity / path:line / message — into the run log, and exit 1s when any exist.

Same hard-gate behavior; the reason is now always visible. Verified the gate's jq against a real Trivy SARIF (prints both findings) and the clean case (exits 0). actionlint clean, YAML valid.

🤖 Generated with Claude Code

trivy-fs ran with format:sarif + exit-code:1, so every failure surfaced in
the run log only as "Process completed with exit code 1" — the actual
CVE/secret/misconfig went to trivy-results.sarif and was never printed. A
human reading the log could not tell WHY the required gate failed (verified
on ContextualWisdomLab/aFIPC PRs #108/#111/#115/#117: a HIGH
AsymmetricPrivateKey secret in a vendored openssl doc, invisible in the log).

The scan now writes SARIF with exit-code:0, and a new "Report Trivy findings
and gate" step parses the SARIF, prints each FIXABLE CRITICAL/HIGH finding
(rule, severity, path:line, message) into the run log, and fails the job when
any exist. Same hard-gate behavior, now with a visible reason. SARIF upload
to code scanning is unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RTAMs4bpSZS77Xe3RQjv9P
@seonghobae

Copy link
Copy Markdown
Contributor Author

Superseded by #382 and the narrower Trivy log-printing path folded into it.

@seonghobae seonghobae closed this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant