Skip to content

Follow-on refinements to Docker Security Scan job#5438

Open
jonpspri wants to merge 2 commits into
mainfrom
jps-docker-scan
Open

Follow-on refinements to Docker Security Scan job#5438
jonpspri wants to merge 2 commits into
mainfrom
jps-docker-scan

Conversation

@jonpspri

Copy link
Copy Markdown
Collaborator

This PR includes follow-on refinements to the Docker Security Scan workflow:

Changes

Job Restructuring

  • Split the monolithic job into two focused jobs:
    • : FedRAMP compliance validation with FIPS-enabled image
    • : Standard security scanning with lite image
  • Updated to depend on both new jobs

SARIF Integration

  • Added SARIF output format for merge_group events
  • Integrated CodeQL SARIF upload for both compliance and standard scans
  • Added debug step to display SARIF contents during merge_group runs
  • Categorized uploads: and

Dependency Updates

  • Updated from v6.2.0 to v7.4.0
  • Changed base image from pinned version to

Workflow Improvements

  • Conditional SARIF output (only for merge_group events)
  • Separate SBOM artifacts for FedRAMP and standard builds
  • Enhanced visibility with SARIF file display step

Testing

  • Workflow validated via workflow_dispatch
  • SARIF upload tested in merge_group context

Signed-off-by: Jonathan Springer jps@s390x.com

@jonpspri jonpspri marked this pull request as draft June 30, 2026 13:11
@jonpspri jonpspri force-pushed the jps-docker-scan branch 5 times, most recently from befd518 to 4359ef8 Compare June 30, 2026 15:36
@jonpspri jonpspri marked this pull request as ready for review June 30, 2026 15:46
Signed-off-by: Jonathan Springer <jps@s390x.com>
@jonpspri jonpspri force-pushed the jps-docker-scan branch 5 times, most recently from 88cf954 to 2fe4473 Compare July 1, 2026 15:42
Signed-off-by: Jonathan Springer <jps@s390x.com>
@jonpspri jonpspri assigned brian-hussey and unassigned ja8zyjits Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants