fix: improve security-advisories.yml logic and coverage#1134
Merged
GrammaTonic merged 6 commits intodevelopfrom Mar 1, 2026
Merged
fix: improve security-advisories.yml logic and coverage#1134GrammaTonic merged 6 commits intodevelopfrom
GrammaTonic merged 6 commits intodevelopfrom
Conversation
chore: promote develop to main
Promote develop to main - Release v2.5.0
Promote SBOM permission fix to main for v2.5.0 release re-run
Promote security scan checkout fix to main
Promote develop to main
- Fix severity filter: map selected level to explicit comma-separated list (LOW->LOW,MEDIUM,HIGH,CRITICAL) instead of broken LEVEL,CRITICAL which skipped intermediate severities - Add Chrome-Go container scan: was missing entirely, leaving the Go toolchain dependencies unscanned (now builds Dockerfile.chrome-go, scans, uploads SARIF with advisory-chrome-go-container-scan category) - Add concurrency group to prevent duplicate parallel runs on manual dispatch (cancel-in-progress) - Remove unnecessary repository-projects:write permission (least privilege); add issues:write for the new notification step - Add automatic GitHub issue creation when CRITICAL vulnerabilities are found, with duplicate-check to avoid flooding - Add Chrome image cleanup step before Chrome-Go build to free disk - Fix report template to show the actual severity list scanned
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes 6 logic and coverage issues in the Security Advisory Management workflow identified during code review.
Type of Change
Changes Made
1. Fix severity filter logic (BUG)
Trivy --severity takes an explicit comma-separated list, not a minimum-and-above directive. The old code used LEVEL,CRITICAL which meant selecting MEDIUM scanned only MEDIUM,CRITICAL skipping HIGH entirely. Now maps the selected level to the correct full range via a case statement and new severity_list output.
2. Add Chrome-Go container scan (MISSING COVERAGE)
The workflow scanned filesystem, container (standard), and chrome but never scanned Dockerfile.chrome-go leaving the Go 1.25.4 toolchain dependencies entirely unscanned. Added full build, verify, SARIF scan, upload, JSON report cycle with advisory-chrome-go-container-scan category. Includes Chrome image cleanup before Chrome-Go build to free disk space.
3. Add concurrency group (RESILIENCE)
Unlike seed-trivy-sarif.yml, this workflow had no concurrency control. Multiple manual dispatches could run in parallel wasting CI minutes. Added concurrency group with cancel-in-progress.
4. Remove repository-projects:write permission (LEAST PRIVILEGE)
The workflow never interacts with GitHub Projects. Removed and added issues:write for the new notification step.
5. Add critical vulnerability notification (ALERTING)
CRITICAL vulnerability counts were computed but nothing consumed them. Added a github-script step that creates a labeled GitHub issue when CRITICAL findings are detected, with duplicate-check to avoid flooding.
6. Fix report template accuracy
The security report markdown claimed severity and above but the scan was not doing that. Updated to show the actual severity list being scanned.
Testing
Checklist
/cc @copilot