From 98795e312dfa33354d9dd9a16de0645ce0c3847f Mon Sep 17 00:00:00 2001
From: tarunpandey23 <79900831+tarunpandey23@users.noreply.github.com>
Date: Fri, 23 May 2025 18:43:34 +0530
Subject: [PATCH] Update/openmetadata trivy scan (#21382)

* updated the workflow

* updated

* updated

* updated

* updated

* updated

* fix the openmetadata server trivy scan to detail out the report on Github Step Summary

* fix the openmetadata server trivy scan to detail out the report on Github Step Summary

* fix the openmetadata server trivy scan to detail out the report on Github Step Summary
---
 .../trivy-scan-openmetadata-server.yml        | 44 +++++++++++++------
 1 file changed, 30 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/trivy-scan-openmetadata-server.yml b/.github/workflows/trivy-scan-openmetadata-server.yml
index f649105fbd8..f182bc31480 100644
--- a/.github/workflows/trivy-scan-openmetadata-server.yml
+++ b/.github/workflows/trivy-scan-openmetadata-server.yml
@@ -1,23 +1,27 @@
 name: Trivy Scan For OpenMetadata Server Docker Image
+
 on:
   schedule:
     - cron: '15 4 * * *'
   workflow_dispatch:
+
 concurrency: 
   group: trivy-server-scan-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
+
 jobs:
   build-and-scan:
     runs-on: ubuntu-latest
     if: ${{ !github.event.pull_request.draft }}
     permissions:
       pull-requests: write
+
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-            
+
       - name: Prepare for Docker Build
         id: prepare
         uses: ./.github/actions/prepare-for-docker-build
@@ -29,19 +33,31 @@ jobs:
       - name: Build Docker Image
         run: |
           docker build -t openmetadata-server:trivy -f docker/development/Dockerfile .
-
       - name: Run Trivy Image Scan
-        id: trivy_scan
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.28.0
         with:
-            scan-type: "image"
-            image-ref: openmetadata-server:trivy
-            hide-progress: false
-            ignore-unfixed: true
-            severity: "HIGH,CRITICAL,MEDIUM"
-            scan-ref: .
-            format: 'template'
-            template: "@.github/trivy/templates/github.tpl"
-            output: $GITHUB_STEP_SUMMARY
+          scan-type: "image"
+          image-ref: openmetadata-server:trivy
+          hide-progress: true
+          ignore-unfixed: true
+          severity: "HIGH,CRITICAL,MEDIUM"
+          format: "table"
+          output: trivy.txt
         env:
-            TRIVY_DISABLE_VEX_NOTICE: "true"
+          TRIVY_DISABLE_VEX_NOTICE: "true"
+
+      - name: Publish Trivy Output to Summary
+        run: |
+          if [[ -s trivy.txt ]]; then
+            {
+              echo "###  Trivy Security Scan Results"
+              echo "<details><summary>Click to expand</summary>"
+              echo ""
+              echo '```text'
+              cat trivy.txt
+              echo '```'
+              echo "</details>"
+            } >> $GITHUB_STEP_SUMMARY
+          else
+            echo "No vulnerabilities found." >> $GITHUB_STEP_SUMMARY
+          fi
\ No newline at end of file