@@ -95,12 +95,23 @@ jobs:
9595 echo "🔍 FILESYSTEM SECURITY SCAN RESULTS FOR ${{ matrix.service }}"
9696 echo "================================================="
9797
98- # Run Trivy again with table format for readable output
98+ # Run Trivy again with table format for readable output (show ALL vulnerabilities)
99+ echo "📊 DETAILED VULNERABILITY TABLE:"
99100 docker run --rm -v "$PWD:/workspace" aquasec/trivy:latest fs \
100101 --format table \
101102 --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL \
103+ --ignore-unfixed=false \
102104 /workspace/apps/${{ matrix.service }} || true
103105
106+ echo ""
107+ echo "📋 SUMMARY BY SEVERITY:"
108+ docker run --rm -v "$PWD:/workspace" aquasec/trivy:latest fs \
109+ --format json \
110+ --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL \
111+ --ignore-unfixed=false \
112+ /workspace/apps/${{ matrix.service }} 2>/dev/null | \
113+ jq -r '.Results[]?.Vulnerabilities[]? | .Severity' | sort | uniq -c | sort -nr || true
114+
104115 echo ""
105116 echo "📄 Detailed SARIF report saved as trivy-fs-${{ matrix.service }}.sarif"
106117continue-on-error : true
@@ -111,15 +122,22 @@ jobs:
111122 echo "🔍 DEPENDENCY SECURITY AUDIT FOR ${{ matrix.service }}"
112123 echo "==============================================="
113124
114- # Generate JSON report regardless of vulnerabilities
115- yarn audit --groups dependencies --level moderate --json > yarn-audit-${{ matrix.service }}.json || true
125+ # Generate comprehensive JSON report (all dependencies, all severity levels)
126+ yarn audit --json > yarn-audit-${{ matrix.service }}-full.json || true
127+ yarn audit --groups dependencies --level info --json > yarn-audit-${{ matrix.service }}.json || true
116128
117- # Display human-readable report directly in workflow
118- echo "📊 VULNERABILITY SUMMARY:"
119- yarn audit --groups dependencies --level moderate || true
129+ # Display human-readable report directly in workflow (show ALL vulnerabilities)
130+ echo "📊 VULNERABILITY SUMMARY (ALL SEVERITIES):"
131+ echo "--- ALL DEPENDENCIES (including dev) ---"
132+ yarn audit || true
133+ echo ""
134+ echo "--- PRODUCTION DEPENDENCIES ONLY ---"
135+ yarn audit --groups dependencies --level info || true
120136
121137 echo ""
122- echo "📄 Detailed JSON report saved as yarn-audit-${{ matrix.service }}.json"
138+ echo "📄 Reports saved:"
139+ echo " - yarn-audit-${{ matrix.service }}-full.json (all deps, all severities)"
140+ echo " - yarn-audit-${{ matrix.service }}.json (prod deps, all severities)"
123141continue-on-error : true
124142
125143 - name : Run detect-secrets scan
@@ -166,7 +184,7 @@ jobs:
166184 path : |
167185 trivy-fs-${{ matrix.service }}.sarif
168186 yarn-audit-${{ matrix.service }}.json
169- yarn-audit-${{ matrix.service }}.txt
187+ yarn-audit-${{ matrix.service }}-full.json
170188 .secrets.baseline
171189retention-days : 30
172190
@@ -328,12 +346,23 @@ jobs:
328346 echo "🔍 CONTAINER SECURITY SCAN RESULTS FOR ${{ matrix.service }}"
329347 echo "===================================================="
330348
331- # Run Trivy again with table format for readable output
349+ # Run Trivy again with table format for readable output (show ALL vulnerabilities)
350+ echo "📊 DETAILED VULNERABILITY TABLE:"
332351 docker run --rm aquasec/trivy:latest image \
333352 --format table \
334353 --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL \
354+ --ignore-unfixed=false \
335355 ghcr.io/${{ github.repository }}/mark-${{ matrix.service }}:${{ env.IMAGE_TAG }} || true
336356
357+ echo ""
358+ echo "📋 SUMMARY BY SEVERITY:"
359+ docker run --rm aquasec/trivy:latest image \
360+ --format json \
361+ --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL \
362+ --ignore-unfixed=false \
363+ ghcr.io/${{ github.repository }}/mark-${{ matrix.service }}:${{ env.IMAGE_TAG }} 2>/dev/null | \
364+ jq -r '.Results[]?.Vulnerabilities[]? | .Severity' | sort | uniq -c | sort -nr || true
365+
337366 echo ""
338367 echo "📄 Detailed SARIF report saved as trivy-container-${{ matrix.service }}.sarif"
339368continue-on-error : true
0 commit comments