From c76b53f16c156e37c5e775121c755091037b6fe0 Mon Sep 17 00:00:00 2001
From: Ugo Mignon <ugo.mignon@gameverse.app>
Date: Thu, 24 Apr 2025 18:26:06 +0200
Subject: [PATCH] feat(docker-build): add security report option and upload
 step

---
 .github/workflows/docker-build.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 2f4a778..791e0ba 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -19,6 +19,10 @@ on:
         description: 'Enable Security Scan'
         default: true
         type: boolean
+      security-report:
+        description: 'Enable Security Report'
+        default: 'sarif'
+        type: string
       hadolint:
         description: 'Enable Hadolint'
         default: true
@@ -100,7 +104,7 @@ jobs:
 
       - name: Update Pull Request with Security Scan Results
         uses: actions/github-script@v7
-        if: github.event_name == 'pull_request' && inputs.security-scan
+        if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'comment'
         with:
           script: |
             const fs = require('fs');
@@ -123,6 +127,12 @@ jobs:
               body: output
             });
 
+      - name: Upload Trivy scan results to GitHub Security tab
+        if: github.event_name == 'pull_request' && inputs.security-scan && inputs.security-report == 'sarif'
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
       - name: Update Pull Request with Hadolint Results
         uses: actions/github-script@v7
         if: github.event_name == 'pull_request' && inputs.hadolint