IT-3421: Improve comments around uploading trivy results for a 'faile…

…d' scan
Sage-Bionetworks-IT · Aug 12, 2024 · 5b22e06 · 5b22e06
1 parent d38652e
commit 5b22e06
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -64,8 +64,7 @@ jobs:
           skip-files: |
             /usr/local/lib/R/site-library/gargle/extdata/fake_service_account.json
             /usr/local/lib/R/site-library/openssl/doc/keys.html
-          # fake_service_account.json is a fake account that gets
-          #  flagged as a credentials file
+          # fake_service_account.json is a fake account that gets flagged as a credentials file
           # keys.html is a documentation file that appears to contain cred's
           severity: 'CRITICAL,HIGH'
           format: 'sarif'
@@ -80,6 +79,10 @@ jobs:
         # after Trivy exits with HIGH/CRITICAL findings
         # See https://github.com/aquasecurity/trivy-action?\
         # tab=readme-ov-file#using-trivy-with-github-code-scanning
+        # Note that here instead of using `always()` which would
+        # allow the step to run if *any* preceeding step failed,
+        # this logic ensures that the step ony runs if all steps
+        # succeed or if only  the 'trivy' step fails.
         if: ${{ success() || steps.trivy.conclusion=='failure' }}
         with:
           sarif_file: ${{ env.sarif_file_name  }}