Skip to content

feat(security-scan): add SARIF upload to docker and ECR security scans#72

Merged
davidf-null merged 2 commits into
mainfrom
feat/sarif-upload-security-scans
May 21, 2026
Merged

feat(security-scan): add SARIF upload to docker and ECR security scans#72
davidf-null merged 2 commits into
mainfrom
feat/sarif-upload-security-scans

Conversation

@davidf-null

@davidf-null davidf-null commented May 21, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Adds SARIF upload to docker-security-scan workflow so vulnerability results are visible in the GitHub Security tab
  • Adds SARIF upload to ecr-security-scan workflow with per-image SARIF files uploaded as a directory
  • Both workflows get security-events: write permission and a new upload_sarif input (default: true) to opt out if needed

Changes

docker-security-scan.yml

  • Added security-events: write permission
  • Added upload_sarif input (boolean, default true)
  • Main scan runs with continue-on-error: true so SARIF generation is not skipped on failure
  • New step generates SARIF via a second Trivy pass
  • New step uploads SARIF to Security tab with category: trivy-docker-{image_name}
  • Explicit fail step based on original scan outcome

ecr-security-scan.yml

  • Added security-events: write permission
  • Added upload_sarif input (boolean, default true)
  • SARIF generated per image inside the scan loop → sarif-results/{IMAGE_NAME}.sarif
  • New step uploads the sarif-results/ directory (CodeQL action supports multi-file directories)

Test plan

  • Trigger docker-security-scan on a repo with known vulnerabilities and verify results appear under Security → Code scanning
  • Trigger ecr-security-scan and verify per-image SARIF results appear in Security tab
  • Verify upload_sarif: false skips the SARIF steps without breaking the scan

🤖 Generated with Claude Code

@claude
feat(security-scan): add SARIF upload to docker and ECR security scans
74913b7 
Enables GitHub Security tab visualization for docker-security-scan and
ecr-security-scan workflows by uploading Trivy results in SARIF format.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
null-paorodrigues
null-paorodrigues reviewed May 21, 2026
View reviewed changes
Comment thread .github/workflows/docker-security-scan.yml
@claude
docs: update README with upload_sarif input for docker and ECR securi…
be23f04 
…ty scans

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@davidf-null davidf-null merged commit fdb8e24 into main May 21, 2026
2 checks passed
@davidf-null davidf-null deleted the feat/sarif-upload-security-scans branch May 21, 2026 17:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@null-paorodrigues null-paorodrigues null-paorodrigues approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davidf-null @null-paorodrigues