revise Trivy reporting

.github/workflows/housekeeping.yaml

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  IMAGE_NAME: threatdragon/owasp-threat-dragon
+  IMAGE_NAME: threatdragon/owasp-threat-dragon:latest
 
 # for security reasons the github actions are pinned to specific release versions
 jobs:
@@ -65,12 +65,13 @@ jobs:
         with:
           ref: main
 
-      - name: Run vulnerability scanner
+      - name: Run Trivy vulnerability scanner
         uses: aquasecurity/[email protected]
         with:
-          image-ref: '${{ env.IMAGE_NAME }}:latest'
+          image-ref: '${{ env.IMAGE_NAME }}'
           format: 'template'
           template: '@/contrib/sarif.tpl'
+          trivyignores: '.github/workflows/.trivyignore'
           output: 'trivy-results.sarif'
 
       - name: Upload scan results to GitHub Security tab

.github/workflows/pull_request.yaml

@@ -13,8 +13,8 @@ env:
   ENCRYPTION_JWT_REFRESH_SIGNING_KEY: "${{ secrets.CI_JWT_REFRESH_SIGNING_KEY }}"
   ENCRYPTION_JWT_SIGNING_KEY: "${{ secrets.CI_JWT_SIGNING_KEY }}"
   ENCRYPTION_KEYS: "${{ secrets.CI_SESSION_ENCRYPTION_KEYS }}"
-  NODE_ENV: 'development'
-  SERVER_API_PROTOCOL: 'http'
+  NODE_ENV: development
+  SERVER_API_PROTOCOL: http
 
 # for security reasons the github actions are pinned to specific release versions
 jobs:
@@ -265,7 +265,7 @@ jobs:
           target: 'http://localhost:8080'
           rules_file_name: '.github/workflows/.zap-rules-web.tsv'
           allow_issue_writing: false
-          fail_action: true
+          fail_action: false
           artifact_name: ${{ env.ZAP_FILE }}
           cmd_options: '-a'
 
@@ -332,11 +332,9 @@ jobs:
     needs: build_docker_image
     permissions:
       contents: write
-      security-events: write
     if: ${{ ! always() }}
 
     steps:
-      # Need .trivyignore
       - name: Checkout
         uses: actions/[email protected]
 
@@ -355,4 +353,5 @@ jobs:
         with:
           image-ref: '${{ env.IMAGE_NAME }}'
           format: 'table'
+          trivyignores: '.github/workflows/.trivyignore'
           exit-code: 1

.github/workflows/push.yaml

@@ -12,7 +12,7 @@ env:
   # threatdragon is the working area on docker hub so use this area
   # owasp/threat-dragon is the final release area so DO NOT use that
   IMAGE_NAME: threatdragon/owasp-threat-dragon:latest
-  ZAP_FILE: "zap-scan-pr-${{ github.event.number }}"
+  ZAP_FILE: zap-scan-push
 
 # for security reasons the github actions are pinned to specific release versions
 jobs:
@@ -441,16 +441,22 @@ jobs:
     if: ${{ ! always() }}
 
     steps:
-      # Need .trivyignore
       - name: Checkout
         uses: actions/[email protected]
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/[email protected]
         with:
           image-ref: '${{ env.IMAGE_NAME }}'
-          format: 'table'
-          exit-code: 1
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          trivyignores: '.github/workflows/.trivyignore'
+          output: 'trivy-results.sarif'
+
+      - name: Upload scan results to GitHub Security tab
+        uses: github/codeql-action/[email protected]
+        with:
+          sarif_file: 'trivy-results.sarif'
 
   desktop_windows_test:
     name: Windows desktop build test