Code scanning items are not attributed to the image tag they exist on #291
Assignees
Comments
GROwen
added a commit
that referenced
this issue
Sep 4, 2024
GROwen
added a commit
that referenced
this issue
Sep 4, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
When Trivy scheduled scans are executed they run on both the 5.x and 6.x branches however on the Code Scanning dashboard the associated CVEs are attributed to the branch that ran the workflow. For scheduled events that is whatever the default branch is set to.
To Reproduce
Execute the workflow vulnerability-scan-schedule-5.x.ym
In an attempt to achieve the desired behaviour I've created a reusable workflow in branch 'A' that is called from another branch, branch 'B'
Expected behavior
The code scanning advisories listing attributes the advisory to the ref/tag of the package or ref/tag of the actions/checkout step
Using the above example of branch 'A' and 'B' I would expect the advisories to be attributed to branch 'B'
A further example
i.e. from the workflow in the feature/specify-branch-on-scan-5.x branch
I would expect/desire that the advisories in code scanning are attributed to 5.x
Actual behaviour
The code scanning advisories listing attributes the advisory to the ref/tag of the branch that executed the workflow, in the below example 6.x
The text was updated successfully, but these errors were encountered: