Update README.md

Signed-off-by: Simar <simar@linux.com>

README.md

@@ -88,6 +88,43 @@ jobs:
 
 You can find a more in-depth example here: https://github.com/aquasecurity/trivy-sarif-demo/blob/master/.github/workflows/scan.yml
 
+If you would like to upload SARIF results to GitHub Code scanning even upon a non zero exit code from Trivy Scan, you can add the following to your upload step:
+```yaml
+name: build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        if: always() 
+        with:
+          sarif_file: 'trivy-results.sarif'
+```
+
+See this for more details: https://docs.github.com/en/actions/learn-github-actions/expressions#always
+
 ### Using Trivy to scan your Git repo
 It's also possible to scan your git repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
 

entrypoint.sh

@@ -70,7 +70,6 @@ if [ $cacheDir ];then
   GLOBAL_ARGS="$GLOBAL_ARGS --cache-dir $cacheDir"
 fi
 
-SARIF_ARGS=""
 ARGS=""
 if [ $format ];then
  ARGS="$ARGS --format $format"
@@ -83,11 +82,9 @@ if [ $exitCode ];then
 fi
 if [ "$ignoreUnfixed" == "true" ] && [ "$scanType" != "config" ];then
   ARGS="$ARGS --ignore-unfixed"
-  SARIF_ARGS="$SARIF_ARGS --ignore-unfixed"
 fi
 if [ $vulnType ] && [ "$scanType" != "config" ];then
   ARGS="$ARGS --vuln-type $vulnType"
-  SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
 fi
 if [ $severity ];then
   ARGS="$ARGS --severity $severity"
@@ -99,7 +96,6 @@ if [ $skipDirs ];then
   for i in $(echo $skipDirs | tr "," "\n")
   do
     ARGS="$ARGS --skip-dirs $i"
-    SARIF_ARGS="$SARIF_ARGS --skip-dirs $i"
   done
 fi
 if [ $timeout ];then
@@ -107,7 +103,6 @@ if [ $timeout ];then
 fi
 if [ $ignorePolicy ];then
   ARGS="$ARGS --ignore-policy $ignorePolicy"
-  SARIF_ARGS="$SARIF_ARGS --ignore-policy $ignorePolicy"
 fi
 if [ "$hideProgress" == "true" ];then
   ARGS="$ARGS --no-progress"
@@ -122,8 +117,8 @@ returnCode=$?
 # regardless of severity level specified in this report.
 # This is a feature, not a bug :)
 if [[ ${template} == *"sarif"* ]]; then
-  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
-  trivy --quiet ${scanType} --format template --template ${template} --output ${output} $SARIF_ARGS ${artifactRef}
+  echo "Building SARIF report"
+  trivy --quiet ${scanType} --format template --template ${template} --output ${output} ${artifactRef}
 fi
 
 exit $returnCode