coder · coadler · Mar 6, 2024 · Mar 5, 2024
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -28,14 +28,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Setup Go
+        uses: ./.github/actions/setup-go
+
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
           languages: go, javascript
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
-
       # Workaround to prevent CodeQL from building the dashboard.
       - name: Remove Makefile
         run: |
@@ -113,14 +113,6 @@ jobs:
           make -j "$image_job"
           echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
 
-      - name: Run Prisma Cloud image scan
-        uses: PaloAltoNetworks/prisma-cloud-scan@v1
-        with:
-          pcc_console_url: ${{ secrets.PRISMA_CLOUD_URL }}
-          pcc_user: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
-          pcc_pass: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
-          image_name: ${{ steps.build.outputs.image }}
-
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef
         with:
@@ -142,6 +134,16 @@ jobs:
           path: trivy-results.sarif
           retention-days: 7
 
+      # Prisma cloud scan runs last because it fails the entire job if it
+      # detects vulnerabilities. :|
+      - name: Run Prisma Cloud image scan
+        uses: PaloAltoNetworks/prisma-cloud-scan@v1
+        with:
+          pcc_console_url: ${{ secrets.PRISMA_CLOUD_URL }}
+          pcc_user: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
+          pcc_pass: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
+          image_name: ${{ steps.build.outputs.image }}
+
       - name: Send Slack notification on failure
         if: ${{ failure() }}
         run: |