Clarify the effects of vulnerability scans

CrunchyData · Nov 1, 2024 · a6ba2e3 · a6ba2e3
1 parent 808b5f5
commit a6ba2e3
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 18 deletions.
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
@@ -1,3 +1,4 @@
+# https://codeql.github.com
 name: CodeQL
 
 on:
@@ -15,14 +16,13 @@ env:
 
 jobs:
   analyze:
-    runs-on: ubuntu-latest
+    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
     permissions:
       actions: read
       contents: read
       security-events: write
 
-    if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
-
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5

diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -1,3 +1,4 @@
+# https://aquasecurity.github.io/trivy
 name: Trivy
 
 on:
@@ -34,32 +35,25 @@ jobs:
 
   vulnerabilities:
     if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
-
     permissions:
-      # for github/codeql-action/upload-sarif to upload SARIF results
-      security-events: write 
+      security-events: write
 
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@v4
 
-      # Run trivy and log detected and fixed vulnerabilities
-      # This report should match the uploaded code scan report below
-      # and is a convenience/redundant effort for those who prefer to
-      # read logs and/or if anything goes wrong with the upload.
-      - name: Log all detected vulnerabilities
+      # Print any detected secrets or vulnerabilities to the workflow log for
+      # human consumption. This step fails only when Trivy is unable to scan.
+      # A later step uploads results to GitHub as a pull request check.
+      - name: Log detected vulnerabilities
         uses: aquasecurity/trivy-action@0.28.0
         with:
           scan-type: filesystem
           hide-progress: true
-          ignore-unfixed: true
           scanners: secret,vuln
 
-      # Upload actionable results to the GitHub Security tab.
-      # Pull request checks fail according to repository settings.
-      # - https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
-      # - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning
+      # Produce a SARIF report of actionable results. This step fails only when
+      # Trivy is unable to scan.
       - name: Report actionable vulnerabilities
         uses: aquasecurity/trivy-action@0.28.0
         with:
@@ -69,7 +63,10 @@ jobs:
           output: 'trivy-results.sarif'
           scanners: secret,vuln
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      # Submit the SARIF report to GitHub code scanning. Pull requests checks
+      # succeed or fail according to branch protection rules.
+      # - https://docs.github.com/en/code-security/code-scanning
+      - name: Upload results to GitHub
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'