[CIRDEVOPS-2553] Adds parameters to debug trivy issues (#99)

paul-ylz · web-flow · commit 71451b5f2652 · 2024-07-03T11:56:04.000+08:00
* [CIRDEVOPS-2553] parameterize trivy output format

* [CIRDEVOPS-2553] parameterize trivy output filename

* [CIRDEVOPS-2553] parameterize trivy output filename [1]

* [CIRDEVOPS-2553] Add parameter to inspect trivy output

* [CIRDEVOPS-2553] When trivy inspect is on, upload result as an artifact
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
@@ -7,6 +7,21 @@ on:
         type: boolean
         default: true
         required: false
+      trivy_format:
+        description: Output format (table, json, sarif, github)
+        type: string
+        default: sarif
+        required: false
+      trivy_output:
+        description: Save results to a file
+        type: string
+        default: 'trivy-results.sarif'
+        required: false
+      trivy_inspect_output:
+        description: Print trivy output for inspection, set to 'true' for debugging purposes
+        type: string
+        default: 'false'
+        required: false
       main_branch:
         description: Name of the main branch
         type: string
@@ -326,22 +341,30 @@ jobs:
         with:
           scan-type: 'config'
           hide-progress: false
-          format: 'sarif'
-          output: 'trivy-results.sarif'
+          format: ${{ inputs.trivy_format }}
+          output: ${{ inputs.trivy_output }}
           ignore-unfixed: true
           severity: 'CRITICAL,HIGH'
 
+      - name: Upload Trivy scan results to Github for inspection
+        if: ${{ inputs.trivy_inspect_output == 'true' }}
+        uses: actions/upload-artifact@v4
+        with:
+          path: ${{ inputs.trivy_output }}
+          retention-days: 1
+
       # https://github.com/aquasecurity/trivy/issues/5003
       - name: Remove git from url for sarif uploading
+        if: ${{ inputs.trivy_format == 'sarif' && inputs.trivy_output != '' }}
         shell: bash
         run: |
-          sed -i 's#git::https:/##g' trivy-results.sarif
+          sed -i 's#git::https:/##g' ${{ inputs.trivy_output }}
 
       - name: Upload Trivy scan results to GitHub Security tab
+        if: inputs.upload_sarif == true
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: 'trivy-results.sarif'
-        # if: inputs.upload_sarif == true
+          sarif_file: ${{ inputs.trivy_output }}
 
       - name: Get changed files
         id: changed-files
