Summary
The action already generates detailed JSON scan results from Trivy and Grype, but doesn't produce SARIF output for GitHub's Code Scanning native integration. This means findings are only visible in CI logs rather than appearing as PR annotations and the Security tab.
What's missing
- No SARIF output from Trivy (Trivy
--format sarif is supported upstream)
- The
github/codeql-action/upload-sarif action isn't used (the Reel Security Scan action does this after its SARIF export)
- Scan results stay in the
results-dir as opaque JSON instead of surfacing inline in PRs
Proposed change
- Add an
enable-sarif input (default: false for backwards compatibility)
- When enabled, have Trivy output SARIF in addition to JSON
- Optionally upload it to Code Scanning via
github/codeql-action/upload-sarif@v3
This would give users PR-level vulnerability annotations without needing a separate SARIF-generation step in their workflow. Happy to draft a PR if this fits the project roadmap.
Summary
The action already generates detailed JSON scan results from Trivy and Grype, but doesn't produce SARIF output for GitHub's Code Scanning native integration. This means findings are only visible in CI logs rather than appearing as PR annotations and the Security tab.
What's missing
--format sarifis supported upstream)github/codeql-action/upload-sarifaction isn't used (the Reel Security Scan action does this after its SARIF export)results-diras opaque JSON instead of surfacing inline in PRsProposed change
enable-sarifinput (default:falsefor backwards compatibility)github/codeql-action/upload-sarif@v3This would give users PR-level vulnerability annotations without needing a separate SARIF-generation step in their workflow. Happy to draft a PR if this fits the project roadmap.