From 8c34f72c63969d735cb854ff8f4a89aad9a0cd86 Mon Sep 17 00:00:00 2001 From: Stijnus <72551117+Stijnus@users.noreply.github.com> Date: Sun, 31 Aug 2025 15:14:31 +0200 Subject: [PATCH] fix: docker workflow security upload (#1951) * Fix artifact upload paths for CodeQL and SBOM results - Correct CodeQL SARIF path from **/results to ../results (relative to workspace) - Add fallback path for SBOM to handle different generation locations - This should resolve the 'No files were found' warnings for artifacts * Test commit to trigger Security Analysis workflow with fixed artifact paths * Update docker.yaml * Update security.yaml * Update security.yaml --- .github/workflows/docker.yaml | 12 ------------ .github/workflows/security.yaml | 15 ++++++++------- README.md | 1 + 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 72dd74e..e39b173 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -61,18 +61,6 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ env.REGISTRY }}/${{ steps.image.outputs.name }}:${{ steps.meta.outputs.version }} - format: 'sarif' - output: 'trivy-results.sarif' - - - name: Upload Trivy scan results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-results.sarif' - name: Check manifest run: docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ steps.image.outputs.name }}:${{ steps.meta.outputs.version }} \ No newline at end of file diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index d35c165..66378b9 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -18,7 +18,7 @@ jobs: codeql: name: CodeQL Analysis runs-on: ubuntu-latest - timeout-minutes: 360 + timeout-minutes: 45 strategy: fail-fast: false @@ -35,23 +35,22 @@ jobs: languages: ${{ matrix.language }} queries: security-extended,security-and-quality - - name: Setup and Build - uses: ./.github/actions/setup-and-build + - name: Autobuild + uses: github/codeql-action/autobuild@v3 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: category: "/language:${{matrix.language}}" upload: false + output: "codeql-results" - name: Upload CodeQL results as artifact uses: actions/upload-artifact@v4 if: always() with: name: codeql-results-${{ matrix.language }} - path: | - **/results/**/*.sarif - **/results/**/*.sarif.json + path: codeql-results dependency-scan: name: Dependency Vulnerability Scan @@ -90,7 +89,9 @@ jobs: if: always() with: name: sbom-results - path: sbom.spdx.json + path: | + sbom.spdx.json + **/sbom.spdx.json secrets-scan: name: Secrets Detection diff --git a/README.md b/README.md index 0a98623..6319f67 100644 --- a/README.md +++ b/README.md @@ -366,3 +366,4 @@ For answers to common questions, issues, and to see a list of recommended models **Who needs a commercial WebContainer API license?** bolt.diy source code is distributed as MIT, but it uses WebContainers API that [requires licensing](https://webcontainers.io/enterprise) for production usage in a commercial, for-profit setting. (Prototypes or POCs do not require a commercial license.) If you're using the API to meet the needs of your customers, prospective customers, and/or employees, you need a license to ensure compliance with our Terms of Service. Usage of the API in violation of these terms may result in your access being revoked. +# Test commit to trigger Security Analysis workflow