From 38a0c19f1c9b2a8a0d2bbd36ae07b4bbd0815ee1 Mon Sep 17 00:00:00 2001 From: Thomas Hucke Date: Thu, 21 May 2026 17:04:59 +0200 Subject: [PATCH 1/2] ci: run Trivy with markdown report instead of SARIF --- .github/trivy-markdown.tpl | 56 ++++++++++++++++++++++++++++++++++++ .github/workflows/trivy.yaml | 23 +++++++++++---- 2 files changed, 73 insertions(+), 6 deletions(-) create mode 100644 .github/trivy-markdown.tpl diff --git a/.github/trivy-markdown.tpl b/.github/trivy-markdown.tpl new file mode 100644 index 0000000..e5d5ce0 --- /dev/null +++ b/.github/trivy-markdown.tpl @@ -0,0 +1,56 @@ +{{- if . }} +{{- range . }} +

Target {{ escapeXML .Target }}

+{{- if (eq (len .Vulnerabilities) 0) }} +

No Vulnerabilities found

+{{- else }} +

Vulnerabilities ({{ len .Vulnerabilities }})

+ + + + + + + + + {{- range .Vulnerabilities }} + + + + + + + + {{- end }} +
PackageIDSeverityInstalled VersionFixed Version
{{ escapeXML .PkgName }}{{ escapeXML .VulnerabilityID }}{{ escapeXML .Severity }}{{ escapeXML .InstalledVersion }}{{ escapeXML .FixedVersion }}
+{{- end }} +{{- if (eq (len .Misconfigurations ) 0) }} +

No Misconfigurations found

+{{- else }} +

Misconfigurations

+ + + + + + + + + {{- range .Misconfigurations }} + + + + + + + + {{- end }} +
TypeIDCheckSeverityMessage
{{ escapeXML .Type }}{{ escapeXML .ID }}{{ escapeXML .Title }}{{ escapeXML .Severity }} + {{ escapeXML .Message }} +
{{ escapeXML .PrimaryURL }}
+
+{{- end }} +{{- end }} +{{- else }} +

Trivy Returned Empty Report

+{{- end }} diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 5a4be42..9e6ab06 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -87,8 +87,11 @@ jobs: uses: aquasecurity/trivy-action@v0.36.0 with: image-ref: '${{ env.REGISTRY }}/${{ needs.preparation.outputs.repo }}/${{ matrix.folder }}:${{ env.TARGET_IMAGE_BASETAG }}' - format: 'sarif' - output: 'trivy-results.sarif' + #format: 'sarif' + #output: 'trivy-results.sarif' + format: 'template' + output: 'trivy-results.md' + template: "@.github/trivy-markdown.tpl" severity: 'CRITICAL,HIGH' ignore-unfixed: true env: @@ -96,8 +99,16 @@ jobs: TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} INPUT_LIMIT_SEVERITIES_FOR_SARIF: true TARGET_IMAGE_BASETAG: ${{ env.TARGET_IMAGE_BASETAG }} - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v4 + - name: Upload Trivy scan results as Markdows report if: always() - with: - sarif_file: 'trivy-results.sarif' + run: | + echo "# Trivy Scan Results for ${{ matrix.folder }}:${{ env.TARGET_IMAGE_BASETAG }}" > trivy-results.md + cat trivy-results.md >> trivy-results.md + echo "Trivy scan results uploaded as Markdown report" + env: + TARGET_IMAGE_BASETAG: ${{ env.TARGET_IMAGE_BASETAG }} + #- name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v4 + # if: always() + # with: + # sarif_file: 'trivy-results.sarif' From 01706c4e185fac06a121e5506b8081fb88e7c6fb Mon Sep 17 00:00:00 2001 From: Thomas Hucke Date: Thu, 21 May 2026 17:11:18 +0200 Subject: [PATCH 2/2] ci: fix report output --- .github/workflows/trivy.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 9e6ab06..12e7d75 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -102,8 +102,8 @@ jobs: - name: Upload Trivy scan results as Markdows report if: always() run: | - echo "# Trivy Scan Results for ${{ matrix.folder }}:${{ env.TARGET_IMAGE_BASETAG }}" > trivy-results.md - cat trivy-results.md >> trivy-results.md + echo "# Trivy Scan Results for ${{ matrix.folder }}:${{ env.TARGET_IMAGE_BASETAG }}" > ${GITHUB_STEP_SUMMARY} + cat trivy-results.md >> ${GITHUB_STEP_SUMMARY} echo "Trivy scan results uploaded as Markdown report" env: TARGET_IMAGE_BASETAG: ${{ env.TARGET_IMAGE_BASETAG }}