Skip to content

feat(workflows): detailed per-image scan report#47

Merged
toddysm merged 2 commits into
mainfrom
feat/scan-detailed-report
Jun 5, 2026
Merged

feat(workflows): detailed per-image scan report#47
toddysm merged 2 commits into
mainfrom
feat/scan-detailed-report

Conversation

@toddysm

@toddysm toddysm commented Jun 5, 2026

Copy link
Copy Markdown
Owner

Summary

Adds detailed scan reporting to the reusable _scan-image.yml workflow. For every scanned tag the workflow now produces a clear report of what was scanned, whether it was promoted, and the vulnerabilities found — including whether each one was blocking or covered by the exception list.

What's new

  • Run-log report per image: image ref, outcome (promoted / left in quarantine / dry-run), threshold, finding counts, and a per-CVE table (CVE, severity, package, installed version, blocking-vs-excepted).
  • Job summary keeps the per-tag overview table and adds a collapsible per-image vulnerability detail section listing each CVE with severity, package, installed/fixed versions, and a blocking/excepted status (with a legend).
  • CVEs are deduplicated and ordered by severity (CRITICAL → LOW).

Validation

  • YAML parse, bash -n, and actionlint all pass.
  • Smoke-tested the parsing/report logic against a mock Trivy JSON: dedup, severity ranking, and exception matching verified.

Notes

No input or behavior changes to the gate itself — this is reporting only. Docs updated in scan-and-promote-workflows.md.

For each scanned tag the reusable workflow now emits a report to the run
log and the job summary describing:

- the image scanned and whether it was promoted or left in quarantine
- every vulnerability at or above the threshold (severity, package,
  installed/fixed versions)
- whether each finding was blocking or matched the exception list

The job summary keeps the per-tag overview table and adds a collapsible
per-image vulnerability detail section.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the reusable container scanning workflow by adding richer, human-readable reporting in both the run log and the GitHub Actions job summary, and updates the architecture docs to describe the new reporting output.

Changes:

  • Add per-image run-log reporting and a collapsible per-image vulnerability detail section in the job summary.
  • Include per-CVE metadata (severity, package, installed/fixed versions) with severity-ranked ordering and deduping.
  • Update workflow architecture documentation to reflect the new report outputs.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File Description
.github/workflows/_scan-image.yml Adds detailed per-tag console reporting and expands the job summary with per-image vulnerability details.
docs/architecture/workflows/scan-and-promote-workflows.md Documents the new reporting behavior and outputs produced by the reusable scan workflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/_scan-image.yml
Comment thread .github/workflows/_scan-image.yml Outdated
Comment thread .github/workflows/_scan-image.yml Outdated
Comment thread .github/workflows/_scan-image.yml Outdated
Comment thread .github/workflows/_scan-image.yml Outdated
- Build comma-separated, Markdown-safe display variants (remaining_md,
  excepted_md) for the summary tables; keep the pipe-separated
  excepted_str only for the oras annotation
- Replace `paste -sd ', '` (alternating-char delimiter) with a proper
  comma+space join
- Relabel finding counts as "CVEs" in the run log, the <details> summary,
  and the overview table header (counts are unique CVE IDs)
- Drop the unused `tee` to a temp file; print the report directly
@toddysm toddysm merged commit 4498646 into main Jun 5, 2026
@toddysm toddysm deleted the feat/scan-detailed-report branch June 5, 2026 21:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants