@DmitriyLewen could you take a look?

Hello @Maxim-Durand

What do you think about adding these changes to Trivy?
I think it will be better this way because users who don't use trivy-action will be able to get these changes.
e.g. we can use ArtifactName here - https://github.com/aquasecurity/trivy/blob/fb36c4ed09efc3fc241d02713c4cc864b6c6a2c8/pkg/report/github/github.go#L107-L111

But I'm still not sure if I should use image name.
Docs says :The path of the manifest file relative to the root of the Git repository.:

Perhaps we need to use filepath from image.

What do you think about adding these changes to Trivy? I think it will be better this way because users who don't use trivy-action will be able to get these changes.

You're totally right, I didn't know trivy supported reports to github.
I created the following PR in trivy aquasecurity/trivy#5999, and will update this one if needed later on.

Perhaps we need to use filepath from image.

If you're scanning the image Dockerfile then yes but in the case you're scanning a remote image you won't have a filepath available.

This would be very handy, I'm currently finding it difficult to tell whether it's the nightly build, or a release build that I scan nightly that has vulnerabilities because they show up the same way in the github security tab (via the sarif upload)

Hello @RichardoC
We are discussing adding these changes to the Trivy template. - aquasecurity/trivy#5999 (comment)
It will be great if you share your opinion on the changes being discussed based on your experience.