for idaholab#218, upload scan results to github

.github/workflows/api-build-and-push-ghcr.yml

@@ -26,6 +26,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     steps:
       -
         name: Cancel previous run in progress
@@ -74,9 +75,16 @@ jobs:
           scan-type: 'image'
           scanners: 'vuln'
           image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/api:${{ steps.extract_branch.outputs.branch }}
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/arkime-build-and-push-ghcr.yml

@@ -26,6 +26,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     steps:
       -
         name: Cancel previous run in progress
@@ -76,9 +77,16 @@ jobs:
           scan-type: 'image'
           scanners: 'vuln'
           image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/arkime:${{ steps.extract_branch.outputs.branch }}
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/dashboards-build-and-push-ghcr.yml

@@ -26,6 +26,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     steps:
       -
         name: Cancel previous run in progress
@@ -74,9 +75,16 @@ jobs:
           scan-type: 'image'
           scanners: 'vuln'
           image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/dashboards:${{ steps.extract_branch.outputs.branch }}
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/dashboards-helper-build-and-push-ghcr.yml

@@ -26,6 +26,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     steps:
       -
         name: Cancel previous run in progress
@@ -74,9 +75,16 @@ jobs:
           scan-type: 'image'
           scanners: 'vuln'
           image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/dashboards-helper:${{ steps.extract_branch.outputs.branch }}
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/dirinit-build-and-push-ghcr.yml

@@ -19,6 +19,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     steps:
       -
         name: Cancel previous run in progress
@@ -67,9 +68,16 @@ jobs:
           scan-type: 'image'
           scanners: 'vuln'
           image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/dirinit:${{ steps.extract_branch.outputs.branch }}
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/file-monitor-build-and-push-ghcr.yml

@@ -26,6 +26,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     steps:
       -
         name: Cancel previous run in progress
@@ -74,9 +75,16 @@ jobs:
           scan-type: 'image'
           scanners: 'vuln'
           image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/file-monitor:${{ steps.extract_branch.outputs.branch }}
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/file-upload-build-and-push-ghcr.yml

@@ -26,6 +26,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     steps:
       -
         name: Cancel previous run in progress
@@ -74,9 +75,16 @@ jobs:
           scan-type: 'image'
           scanners: 'vuln'
           image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/file-upload:${{ steps.extract_branch.outputs.branch }}
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/filebeat-build-and-push-ghcr.yml

@@ -26,6 +26,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     steps:
       -
         name: Cancel previous run in progress
@@ -74,9 +75,16 @@ jobs:
           scan-type: 'image'
           scanners: 'vuln'
           image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/filebeat-oss:${{ steps.extract_branch.outputs.branch }}
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/freq-build-and-push-ghcr.yml

@@ -26,6 +26,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     steps:
       -
         name: Cancel previous run in progress
@@ -74,9 +75,16 @@ jobs:
           scan-type: 'image'
           scanners: 'vuln'
           image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/freq:${{ steps.extract_branch.outputs.branch }}
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/htadmin-build-and-push-ghcr.yml

@@ -26,6 +26,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     steps:
       -
         name: Cancel previous run in progress
@@ -74,9 +75,16 @@ jobs:
           scan-type: 'image'
           scanners: 'vuln'
           image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/htadmin:${{ steps.extract_branch.outputs.branch }}
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/logstash-build-and-push-ghcr.yml

@@ -26,6 +26,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     steps:
       -
         name: Cancel previous run in progress
@@ -74,9 +75,16 @@ jobs:
           scan-type: 'image'
           scanners: 'vuln'
           image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/logstash-oss:${{ steps.extract_branch.outputs.branch }}
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml

@@ -22,6 +22,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     defaults:
       run:
         shell: bash
@@ -120,12 +121,19 @@ jobs:
         with:
           scan-type: 'fs'
           scan-ref: './malcolm-iso'
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
       -
         name: ghcr.io login
         uses: docker/login-action@v2

.github/workflows/netbox-build-and-push-ghcr.yml

@@ -26,6 +26,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     steps:
       -
         name: Cancel previous run in progress
@@ -74,9 +75,16 @@ jobs:
           scan-type: 'image'
           scanners: 'vuln'
           image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/netbox:${{ steps.extract_branch.outputs.branch }}
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/nginx-build-and-push-ghcr.yml

@@ -33,6 +33,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     steps:
       -
         name: Cancel previous run in progress
@@ -89,9 +90,16 @@ jobs:
           scan-type: 'image'
           scanners: 'vuln'
           image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/nginx-proxy:${{ steps.extract_branch.outputs.branch }}
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/opensearch-build-and-push-ghcr.yml

@@ -25,6 +25,7 @@ jobs:
       actions: write
       packages: write
       contents: read
+      security-events: write
     steps:
       -
         name: Cancel previous run in progress
@@ -73,9 +74,16 @@ jobs:
           scan-type: 'image'
           scanners: 'vuln'
           image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/opensearch:${{ steps.extract_branch.outputs.branch }}
-          format: 'json'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
           vuln-type: 'os,library'
           hide-progress: true
           ignore-unfixed: true
           exit-code: '0'
+      -
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'