ci: Cat 1072 security nightly cleanup #17983
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
cubic analysis
1 issue found across 2 files • Review in cubic
React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.
| [.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[]] | | ||
| group_by(.VulnerabilityID) | | ||
| map(.[0]) | | ||
| sort_by((.Severity == "HIGH" | if . then 1 else 0 end), -((.CVSS.nvd.V3Score // 0) | tonumber? // 0)) | |
There was a problem hiding this comment.
Invalid two-parameter call to sort_by will make the Slack-block jq script crash, so no Slack message will be posted.
Prompt for AI agents
Address the following comment on .github/workflows/security-trivy-scan-callable.yml at line 178:
<comment>Invalid two-parameter call to sort_by will make the Slack-block jq script crash, so no Slack message will be posted.</comment>
<file context>
@@ -4,123 +4,206 @@ on:
workflow_dispatch:
inputs:
image_ref:
- description: Full image reference to scan e.g ghcr.io/n8n-io/n8n:latest
+ description: 'Full image reference to scan e.g. ghcr.io/n8n-io/n8n:latest'
required: true
default: 'ghcr.io/n8n-io/n8n:latest'
workflow_call:
inputs:
</file context>
| sort_by((.Severity == "HIGH" | if . then 1 else 0 end), -((.CVSS.nvd.V3Score // 0) | tonumber? // 0)) | | |
| sort_by([(.Severity == "HIGH" | if . then 1 else 0 end), -((.CVSS.nvd.V3Score // 0) | tonumber? // 0)]) | |
There was a problem hiding this comment.
I am happy to approve this, but I can't shake the feeling that all the inline jq logic within the workflow makes this kinda hard to read and understand. While writing a custom GH action with typescript might be an overkill, maybe doing this with a simple JS script or moving the logic to shell files might make more sense. WDYT?
| @@ -34,3 +34,4 @@ compiled_app_output | |||
| trivy_report* | |||
| compiled | |||
| packages/cli/src/modules/my-feature | |||
| .secrets | |||
There was a problem hiding this comment.
Out of curiosity, is this for something local development or?
There was a problem hiding this comment.
Yeah it's for "ACT" which lets you run the workflows locally. It's a lifesaver for work like this.
|
E2E Tests: n8n tests passed after 3m 54.9s Run Details
This message was posted automatically by
currents.dev | Integration Settings
|
Yeah I think you are right. As annoying as it would be I feel like having something to parse/format for Markdown in a script would be much more useful. |
|
Got released with |
Summary
Related Linear tickets, Github issues, and Community forum posts
https://linear.app/n8n/issue/CAT-1072/ci-remove-positive-result-from-nightly-security-scan
Review / Merge checklist
release/backport(if the PR is an urgent fix that needs to be backported)