Enhance security scanning workflow to include both vulnerabilities and secrets detection. Updated output formatting in GitHub Actions to provide clearer summaries of findings, including separate sections for package vulnerabilities and secrets. Improved logic for counting and reporting security issues based on Trivy scan results.

jaydrogers · jaydrogers · commit 2edcacb670e7 · 2024-12-11T13:02:44.000-06:00
diff --git a/.github/workflows/action_publish-images-security-updates.yml b/.github/workflows/action_publish-images-security-updates.yml
@@ -49,21 +49,34 @@ jobs:
         shell: bash
         run: |
           if [ -f trivy-results.json ]; then
-            VULN_COUNT=$(jq -r '.vulnerabilities | length // 0' trivy-results.json)
+            # Count both vulnerabilities and secrets
+            VULN_COUNT=$(jq -r '[.Results[] | (.Vulnerabilities, .Secrets) | select(. != null) | length] | add // 0' trivy-results.json)
+            
             if [ "${VULN_COUNT:-0}" -gt 0 ]; then
               echo "has_vulnerabilities=true" >> "$GITHUB_OUTPUT"
               
-              # Create native GitHub annotations for vulnerabilities
-              echo "# Security Vulnerabilities Found" >> $GITHUB_STEP_SUMMARY
-              echo "| Severity | Package | Installed Version | Vulnerability ID | Description |" >> $GITHUB_STEP_SUMMARY
-              echo "|----------|---------|-------------------|------------------|-------------|" >> $GITHUB_STEP_SUMMARY
+              echo "# Security Findings Found" >> $GITHUB_STEP_SUMMARY
               
-              jq -r '.vulnerabilities[] | "| \(.severity) | \(.pkgName) | \(.installedVersion) | \(.vulnerabilityID) | \(.title) |"' trivy-results.json >> $GITHUB_STEP_SUMMARY
+              # Handle OS/Package Vulnerabilities
+              if jq -e '.Results[] | select(.Vulnerabilities != null)' trivy-results.json > /dev/null; then
+                echo "## Package Vulnerabilities" >> $GITHUB_STEP_SUMMARY
+                echo "| Severity | Package | Installed Version | Fixed Version | Vulnerability ID |" >> $GITHUB_STEP_SUMMARY
+                echo "|----------|---------|-------------------|---------------|-----------------|" >> $GITHUB_STEP_SUMMARY
+                jq -r '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | "| \(.Severity) | \(.PkgName) | \(.InstalledVersion) | \(.FixedVersion) | \(.VulnerabilityID) |"' trivy-results.json >> $GITHUB_STEP_SUMMARY
+              fi
               
-              echo "::notice::Found ${VULN_COUNT} security vulnerabilities that need to be addressed."
+              # Handle Secrets
+              if jq -e '.Results[] | select(.Secrets != null)' trivy-results.json > /dev/null; then
+                echo "## Secrets" >> $GITHUB_STEP_SUMMARY
+                echo "| Severity | Category | Title | Target | Rule ID |" >> $GITHUB_STEP_SUMMARY
+                echo "|----------|-----------|--------|---------|----------|" >> $GITHUB_STEP_SUMMARY
+                jq -r '.Results[] | select(.Secrets != null) | .Secrets[] | "| \(.Severity) | \(.Category) | \(.Title) | \(.Target) | \(.RuleID) |"' trivy-results.json >> $GITHUB_STEP_SUMMARY
+              fi
+              
+              echo "::notice::Found ${VULN_COUNT} security findings that need to be addressed."
             else
               echo "has_vulnerabilities=false" >> "$GITHUB_OUTPUT"
-              echo "No vulnerabilities found." >> $GITHUB_STEP_SUMMARY
+              echo "No security findings found." >> $GITHUB_STEP_SUMMARY
             fi
           else
             echo "Error: trivy-results.json not found"
