From 6d47ac77c39aa29336ef1cbb32bd270b69bebb40 Mon Sep 17 00:00:00 2001 From: Jean-Paul van Ravensberg <14926452+DevSecNinja@users.noreply.github.com> Date: Tue, 7 Jul 2026 14:12:18 +0200 Subject: [PATCH 1/2] feat(lint): add upload-sarif input to skip GitHub code scanning upload The checkov/trivy/zizmor jobs always uploaded SARIF via github/codeql-action/upload-sarif, which requires GitHub Advanced Security. On private repos without GHAS the upload fails with "Resource not accessible by integration", breaking the whole lint job. Add an `upload-sarif` input (default true, fully backward-compatible). When set to false, the three scanners run with console output and gate on their exit codes instead of uploading SARIF, so private repos without GHAS can still enforce security linting. --- .github/workflows/lint.yml | 50 ++++++++++++++++++++++++++++++------- workflow-templates/lint.yml | 4 +++ 2 files changed, 45 insertions(+), 9 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 0d0b1e4..b93b9e3 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -98,6 +98,13 @@ on: required: false type: boolean default: false + upload-sarif: + description: "Upload checkov/trivy/zizmor results to GitHub code scanning (requires GitHub + Advanced Security). Set false for private repos without GHAS to gate on exit codes with + console output instead." + required: false + type: boolean + default: true permissions: contents: read @@ -452,10 +459,18 @@ jobs: version: ${{ inputs.mise-version }} - name: Run checkov - run: mise exec -- checkov -d . --output sarif --output-file-path . || true + env: + UPLOAD_SARIF: ${{ inputs.upload-sarif }} + run: |- + if [ "${UPLOAD_SARIF}" = "true" ]; then + mise exec -- checkov -d . --output sarif --output-file-path . || true + else + # No GitHub Advanced Security: gate on exit code with console output. + mise exec -- checkov -d . --compact --quiet + fi - name: Filter skipped checks from SARIF - if: always() + if: ${{ always() && inputs.upload-sarif }} run: |- if [ -f results_sarif.sarif ]; then jq ' @@ -470,7 +485,7 @@ jobs: - name: Upload SARIF report uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 - if: always() + if: ${{ always() && inputs.upload-sarif }} with: sarif_file: results_sarif.sarif category: checkov @@ -499,6 +514,7 @@ jobs: - name: Run trivy env: CONFIG_DIR: ${{ inputs.lint-config-dir }} + UPLOAD_SARIF: ${{ inputs.upload-sarif }} run: |- # Lint tool versions are owned by the consuming repo: pinned and # Renovate-managed in its mise config. Fail early with guidance when @@ -516,13 +532,21 @@ jobs: trivy_args+=(--config "${CONFIG_DIR}/trivy.yaml") fi - mise exec -- trivy fs "${trivy_args[@]}" \ - --scanners misconfig,secret \ - --format sarif \ - --output trivy.sarif . || true + if [ "${UPLOAD_SARIF}" = "true" ]; then + mise exec -- trivy fs "${trivy_args[@]}" \ + --scanners misconfig,secret \ + --format sarif \ + --output trivy.sarif . || true + else + # No GitHub Advanced Security: gate on exit code with console output. + mise exec -- trivy fs "${trivy_args[@]}" \ + --scanners misconfig,secret \ + --exit-code 1 . + fi - name: Upload SARIF report uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 + if: ${{ inputs.upload-sarif }} with: sarif_file: trivy.sarif category: trivy @@ -549,11 +573,19 @@ jobs: version: ${{ inputs.mise-version }} - name: Run zizmor - run: mise exec -- zizmor --format sarif . > zizmor.sarif + env: + UPLOAD_SARIF: ${{ inputs.upload-sarif }} + run: |- + if [ "${UPLOAD_SARIF}" = "true" ]; then + mise exec -- zizmor --format sarif . > zizmor.sarif + else + # No GitHub Advanced Security: gate on exit code with console output. + mise exec -- zizmor . + fi - name: Upload SARIF report uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 - if: always() + if: ${{ always() && inputs.upload-sarif }} with: sarif_file: zizmor.sarif category: zizmor diff --git a/workflow-templates/lint.yml b/workflow-templates/lint.yml index 0d9082f..64f586c 100644 --- a/workflow-templates/lint.yml +++ b/workflow-templates/lint.yml @@ -25,6 +25,10 @@ jobs: # lint-config-dir: config-sync/files # Optional: fail this workflow when a linter fails (default: false). # lint-fail-on-error: true + # Optional: upload checkov/trivy/zizmor results to GitHub code scanning + # (default: true, requires GitHub Advanced Security). Set false for + # private repos without GHAS to gate on exit codes with console output. + # upload-sarif: false # Optional: use a different Go version file. # go-version-file: go.mod # Toggle linters on/off (all default to true): From 52b19f026282fcd33ffd9e0ee69bdb0e8d24bb9a Mon Sep 17 00:00:00 2001 From: Jean-Paul van Ravensberg <14926452+DevSecNinja@users.noreply.github.com> Date: Tue, 7 Jul 2026 17:04:55 +0200 Subject: [PATCH 2/2] style(lint): apply yamlfmt wrapping to upload-sarif description --- .github/workflows/lint.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index b93b9e3..1cdfa5f 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -99,9 +99,8 @@ on: type: boolean default: false upload-sarif: - description: "Upload checkov/trivy/zizmor results to GitHub code scanning (requires GitHub - Advanced Security). Set false for private repos without GHAS to gate on exit codes with - console output instead." + description: "Upload checkov/trivy/zizmor results to GitHub code scanning (requires GitHub Advanced Security). Set + false for private repos without GHAS to gate on exit codes with console output instead." required: false type: boolean default: true