Any way to make Github runner take an action if a vulnerability is found?

[jasonculligan]

I thought this would be easy but I was wrong. Consider the following Github action:

name: Daily Pull and Vulnerability Scan

on:
  schedule:
    - cron: "0 0 * * *"  # Runs daily at midnight UTC
  workflow_dispatch:  # Allows manual trigger

jobs:
  pull-and-scan:
    runs-on: ubuntu-latest

    steps:
    - name: Log in to Docker Hub
      uses: docker/login-action@v2
      with:
        username: ${{ secrets.DOCKER_USER }}
        password: ${{ secrets.DOCKER_PASS }}

    - name: Pull Docker image
      run: |
        IMAGE_NAME="example-image-name:latest"
        docker pull $IMAGE_NAME
      env:
        IMAGE_NAME: example-image-name:latest

    - name: Scan Docker image with Trivy
      id: scan_image
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: example-image-name:latest
        ignore-unfixed: true  # Optional: set to false to capture all vulnerabilities
        format: "table"  # Output format
        exit-code: '123'

    - name: Check if vulnerabilities are found
      id: check_scan
      run: |
        # Fail the job if vulnerabilities were found
        if [[ "${{ steps.scan_image.outputs.results }}" != "" ]]; then
          echo "Vulnerabilities found!"
          echo "needs_rebuild=true" >> $GITHUB_ENV
        else
          echo "No vulnerabilities found."
          echo "needs_rebuild=false" >> $GITHUB_ENV
        fi

    - name: Build and push Docker image
      if: env.needs_rebuild == 'true'
      id: push
      uses: docker/build-push-action@v6
      with:
        context: .
        file: ./Dockerfile
        push: true
        tags: example-image-name:latest

It never reaches the portion to decide what to do if vulnerabilities are found:

[pp-csievering]

Trivy Scan doesnt return exit code 0 so the workflow ends there. If you want the steps after the scan to run I'd recommend adding if: success() || failure() to the step after, or change the exit code.