create dependency track workflow #4
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| container: | ||
| image: aquasec/trivy:0.67.2 | ||
|
|
||
| steps: | ||
| - run: trivy --version | ||
| - uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
| - run: trivy fs --format cyclonedx --output /tmp/trivy-cyclonedx.json . | ||
| - run: | | ||
| IS_LATEST=false | ||
| if [ "${{ github.ref_name }}" = "${{ github.event.repository.default_branch }}" ]; then | ||
| IS_LATEST=true | ||
| fi | ||
| curl -X "POST" "https://dependency-track.hawk-dinosaur.ts.net/api/v1/bom" \ | ||
| -H 'Content-Type: multipart/form-data' \ | ||
| -H "X-Api-Key: ${{ secrets.DEPENDENCY_TRACK_AUTOMATION_API_KEY }}" \ | ||
| -F "autoCreate=true" \ | ||
| -F "projectName=${{ github.repository }}" \ | ||
| -F "projectVersion=${{ github.ref_name }}" \ | ||
| -F "isLatest=$IS_LATEST" \ | ||
| -F "bom=@/tmp/trivy-cyclonedx.json" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 month ago
To fix the problem, we should explicitly add a permissions block to the workflow. Since none of the steps require write access and only need to check out code and run analysis/upload results externally, the minimal starting point is contents: read. This block should be added at the workflow root (before jobs:) to apply to all jobs unless a job-specific override is needed.
Where: In .github/workflows/dependency-track.yml, add a permissions: block after the name: field (i.e. after line 4), before the jobs: field.
What: Add:
permissions:
contents: readNo imports, methods, or other definitions are necessary.
| @@ -2,6 +2,8 @@ | ||
| pull_request: | ||
|
|
||
| name: Dependency Track | ||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| trivy: |
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
| - run: | | ||
| IS_LATEST=false | ||
| if [ "${{ github.ref_name }}" = "${{ github.event.repository.default_branch }}" ]; then | ||
| IS_LATEST=true |
There was a problem hiding this comment.
The branch detection logic may not function as intended in a pull request context. In pull requests, github.ref_name typically refers to the source branch being merged, not the target branch. To correctly determine if the target branch is the default branch, consider using github.base_ref instead:
if [ "${{ github.base_ref }}" = "${{ github.event.repository.default_branch }}" ]; then
IS_LATEST=true
fiThis ensures the isLatest flag is properly set when the PR targets the default branch.
| - run: | | |
| IS_LATEST=false | |
| if [ "${{ github.ref_name }}" = "${{ github.event.repository.default_branch }}" ]; then | |
| IS_LATEST=true | |
| IS_LATEST=false | |
| if [ "${{ github.base_ref }}" = "${{ github.event.repository.default_branch }}" ]; then | |
| IS_LATEST=true | |
| fi |
Spotted by Graphite Agent
Is this helpful? React 👍 or 👎 to let us know.
No description provided.