fix: docker workflow security upload (#1951)

* Fix artifact upload paths for CodeQL and SBOM results - Correct CodeQL SARIF path from **/results to ../results (relative to workspace) - Add fallback path for SBOM to handle different generation locations - This should resolve the 'No files were found' warnings for artifacts * Test commit to trigger Security Analysis workflow with fixed artifact paths * Update docker.yaml * Update security.yaml * Update security.yaml
2025-08-31 15:14:31 +02:00
parent b88eb6ee15
commit 8c34f72c63
3 changed files with 9 additions and 19 deletions
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -61,18 +61,6 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ${{ env.REGISTRY }}/${{ steps.image.outputs.name }}:${{ steps.meta.outputs.version }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-
-      - name: Upload Trivy scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: 'trivy-results.sarif'
          
      - name: Check manifest
        run: docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ steps.image.outputs.name }}:${{ steps.meta.outputs.version }}
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -18,7 +18,7 @@ jobs:
  codeql:
    name: CodeQL Analysis
    runs-on: ubuntu-latest
-    timeout-minutes: 360
+    timeout-minutes: 45
    
    strategy:
      fail-fast: false
@@ -35,23 +35,22 @@ jobs:
          languages: ${{ matrix.language }}
          queries: security-extended,security-and-quality

-      - name: Setup and Build
-        uses: ./.github/actions/setup-and-build
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:${{matrix.language}}"
          upload: false
+          output: "codeql-results"

      - name: Upload CodeQL results as artifact
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: codeql-results-${{ matrix.language }}
-          path: |
-            **/results/**/*.sarif
-            **/results/**/*.sarif.json
+          path: codeql-results

  dependency-scan:
    name: Dependency Vulnerability Scan
@@ -90,7 +89,9 @@ jobs:
        if: always()
        with:
          name: sbom-results
-          path: sbom.spdx.json
+          path: |
+            sbom.spdx.json
+            **/sbom.spdx.json

  secrets-scan:
    name: Secrets Detection
--- a/README.md
+++ b/README.md
@@ -366,3 +366,4 @@ For answers to common questions, issues, and to see a list of recommended models
 **Who needs a commercial WebContainer API license?**

 bolt.diy source code is distributed as MIT, but it uses WebContainers API that [requires licensing](https://webcontainers.io/enterprise) for production usage in a commercial, for-profit setting. (Prototypes or POCs do not require a commercial license.) If you're using the API to meet the needs of your customers, prospective customers, and/or employees, you need a license to ensure compliance with our Terms of Service. Usage of the API in violation of these terms may result in your access being revoked.
+# Test commit to trigger Security Analysis workflow