@@ -28,14 +28,14 @@ jobs:
2828 -name :Checkout
2929uses :actions/checkout@v4
3030
31+ -name :Setup Go
32+ uses :./.github/actions/setup-go
33+
3134 -name :Initialize CodeQL
3235uses :github/codeql-action/init@v3
3336with :
3437languages :go, javascript
3538
36- -name :Setup Go
37- uses :./.github/actions/setup-go
38-
3939# Workaround to prevent CodeQL from building the dashboard.
4040 -name :Remove Makefile
4141run :|
@@ -113,14 +113,6 @@ jobs:
113113 make -j "$image_job"
114114 echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
115115
116- name :Run Prisma Cloud image scan
117- uses :PaloAltoNetworks/prisma-cloud-scan@v1
118- with :
119- pcc_console_url :${{ secrets.PRISMA_CLOUD_URL }}
120- pcc_user :${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
121- pcc_pass :${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
122- image_name :${{ steps.build.outputs.image }}
123-
124116name :Run Trivy vulnerability scanner
125117uses :aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef
126118with :
@@ -142,6 +134,16 @@ jobs:
142134path :trivy-results.sarif
143135retention-days :7
144136
137+ # Prisma cloud scan runs last because it fails the entire job if it
138+ # detects vulnerabilities. :|
139+ -name :Run Prisma Cloud image scan
140+ uses :PaloAltoNetworks/prisma-cloud-scan@v1
141+ with :
142+ pcc_console_url :${{ secrets.PRISMA_CLOUD_URL }}
143+ pcc_user :${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
144+ pcc_pass :${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
145+ image_name :${{ steps.build.outputs.image }}
146+
145147 -name :Send Slack notification on failure
146148if :${{ failure() }}
147149run :|