From 2ea13c1186c7391d24f3b488e2a386a8830c1242 Mon Sep 17 00:00:00 2001
From: Tom Conner <tconner@broadinstitute.org>
Date: Fri, 23 May 2025 00:20:16 -0400
Subject: [PATCH 1/4] upload sarif from trivy scan

---
 .github/workflows/trivy.yml | 40 ++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 0d8704507..979dd06a1 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -3,7 +3,7 @@ on:
   # This workflow fails if run too frequently, due to rate limiting.
   #pull_request:
   schedule:
-  - cron: '0 14 * * 1' # each Monday at 9am EST
+    - cron: "0 14 * * 1" # each Monday at 9am EST
   workflow_dispatch:
 
 jobs:
@@ -15,29 +15,27 @@ jobs:
       fail-fast: false
       matrix:
         include:
-        - dir: batch
-        - dir: bastion
-        - dir: cis
-        - dir: sdarq/frontend
-        - dockerfile: sdarq/backend/Dockerfile
-        - dir: zap
+          - dir: batch
+          - dir: bastion
+          - dir: cis
+          - dir: sdarq/frontend
+          - dockerfile: sdarq/backend/Dockerfile
+          - dir: zap
     env:
       SARIF_PATH: ${{ matrix.dir }}/trivy-results.sarif
 
     steps:
-    - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
 
-    - uses: broadinstitute/dsp-appsec-trivy-action@v1
-      with:
-        context: ${{ matrix.dir || '.' }}
-        dockerfile: ${{ matrix.dockerfile || 'Dockerfile' }}
-        severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
-        # sarif: ${{ !github.base_ref && env.SARIF_PATH || '' }}
+      - uses: broadinstitute/dsp-appsec-trivy-action@v1
+        with:
+          context: ${{ matrix.dir || '.' }}
+          dockerfile: ${{ matrix.dockerfile || 'Dockerfile' }}
+          severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+          sarif: ${{ !github.base_ref && env.SARIF_PATH || '' }}
 
-    # NOTE: this functionality is limited to public repos only;
-    # TODO: uncomment the Cron schedule and Sarif config when made public
-    # - name: Upload Trivy scan results to GitHub Security tab
-    #   uses: github/codeql-action/upload-sarif@v1
-    #   if: ${{ !github.base_ref }} # omit upload on PRs
-    #   with:
-    #     sarif_file: ${{ env.SARIF_PATH }}
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        if: ${{ !github.base_ref }} # omit upload on PRs
+        with:
+          sarif_file: ${{ env.SARIF_PATH }}

From 2a768b90a50b7fcb14f8762535cc877e08c54fc5 Mon Sep 17 00:00:00 2001
From: Tom Conner <tconner@broadinstitute.org>
Date: Fri, 23 May 2025 01:21:02 -0400
Subject: [PATCH 2/4] bump upload-sarif action and add two more images

---
 .github/workflows/trivy.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 979dd06a1..03c024949 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -18,8 +18,10 @@ jobs:
           - dir: batch
           - dir: bastion
           - dir: cis
+          - dir: defectdojo
           - dir: sdarq/frontend
           - dockerfile: sdarq/backend/Dockerfile
+          - dir: security-controls
           - dir: zap
     env:
       SARIF_PATH: ${{ matrix.dir }}/trivy-results.sarif
@@ -35,7 +37,7 @@ jobs:
           sarif: ${{ !github.base_ref && env.SARIF_PATH || '' }}
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v2.21.3
         if: ${{ !github.base_ref }} # omit upload on PRs
         with:
           sarif_file: ${{ env.SARIF_PATH }}

From 9439e5dfea2cafb1852f8450651537cb4cc8a4eb Mon Sep 17 00:00:00 2001
From: Tom Conner <tconner@broadinstitute.org>
Date: Fri, 23 May 2025 01:32:35 -0400
Subject: [PATCH 3/4] don't fail just because scan was correctly skipped

---
 .github/workflows/trivy.yml | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 03c024949..f5ce14476 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -36,8 +36,22 @@ jobs:
           severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
           sarif: ${{ !github.base_ref && env.SARIF_PATH || '' }}
 
+      - name: Check if SARIF file exists
+        id: sarif_check
+        run: |
+          if [ -f "${{ env.SARIF_PATH }}" ]; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2.21.3
-        if: ${{ !github.base_ref }} # omit upload on PRs
+        if: ${{ steps.sarif_check.outputs.exists == 'true' && !github.base_ref }}
         with:
           sarif_file: ${{ env.SARIF_PATH }}
+
+      - name: Log SARIF upload skipped
+        if: ${{ steps.sarif_check.outputs.exists != 'true' || github.base_ref }}
+        run: |
+          echo "SARIF upload skipped: either SARIF file missing or this is a PR."

From 029c7205a25b65c5f04a1ca18d0d52c780d96234 Mon Sep 17 00:00:00 2001
From: Tom Conner <tconner@broadinstitute.org>
Date: Fri, 23 May 2025 01:34:14 -0400
Subject: [PATCH 4/4] no dojo

---
 .github/workflows/trivy.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index f5ce14476..190382acc 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -18,7 +18,6 @@ jobs:
           - dir: batch
           - dir: bastion
           - dir: cis
-          - dir: defectdojo
           - dir: sdarq/frontend
           - dockerfile: sdarq/backend/Dockerfile
           - dir: security-controls