fix(ci): improve markdown formatting in scheduled trivy scan output

fyzanshaik-atlan · fyzanshaik-atlan · commit 791512e48b5b · 2026-02-17T00:08:55.000+05:30
- Use heredoc for DESCRIPTION to eliminate leading whitespace that
  caused markdown to render as code blocks
- Add table headers per vulnerability section in vuln_summary so
  each section renders as a proper markdown table
- Replace plain text counts with a summary table for better readability
- Remove orphaned table header that was separated from data rows by
  section headings
diff --git a/.github/workflows/scheduled-trivy-scan.yml b/.github/workflows/scheduled-trivy-scan.yml
@@ -134,13 +134,17 @@ jobs:
               if [ "$IMAGE_VULNS" -gt 0 ]; then
                 echo "### Docker Image Vulnerabilities ($IMAGE_VULNS)"
                 echo ""
+                echo "| Severity | Package | Installed | Fixed | CVE |"
+                echo "|----------|---------|-----------|-------|-----|"
                 jq -r '.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL" or .Severity == "HIGH") | "| \(.Severity) | \(.PkgName) | \(.InstalledVersion) | \(.FixedVersion // "N/A") | \(.VulnerabilityID) |"' trivy-image.json | sort -t'|' -k2,2 | head -50
                 echo ""
               fi
 
               if [ "$DEPS_VULNS" -gt 0 ]; then
                 echo "### Dependency Vulnerabilities ($DEPS_VULNS)"
                 echo ""
+                echo "| Severity | Package | Installed | Fixed | CVE |"
+                echo "|----------|---------|-----------|-------|-----|"
                 jq -r '.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL" or .Severity == "HIGH") | "| \(.Severity) | \(.PkgName) | \(.InstalledVersion) | \(.FixedVersion // "N/A") | \(.VulnerabilityID) |"' trivy-deps.json | sort -t'|' -k2,2 | head -50
                 echo ""
               fi
@@ -205,26 +209,28 @@ jobs:
 
           TITLE="[Security] $SERVICE — $TOTAL_VULNS CRITICAL,HIGH vulnerabilities ($DATE)"
 
-          DESCRIPTION="## Scheduled Trivy Scan Results
+          read -r -d '' DESCRIPTION << DESC_EOF || true
+## Scheduled Trivy Scan Results
 
-          **Service:** $SERVICE
-          **Repository:** [$REPO](${{ github.server_url }}/${{ github.repository }})
-          **Scan date:** $DATE
-          **Workflow run:** [View logs]($RUN_URL)
+**Service:** $SERVICE
+**Repository:** [$REPO](${{ github.server_url }}/${{ github.repository }})
+**Scan date:** $DATE
+**Workflow run:** [View logs]($RUN_URL)
 
-          ---
+---
 
-          **Image vulnerabilities:** $IMAGE_VULNS
-          **Dependency vulnerabilities:** $DEPS_VULNS
-          **Total:** $TOTAL_VULNS
+| Metric | Count |
+|--------|-------|
+| Image vulnerabilities | $IMAGE_VULNS |
+| Dependency vulnerabilities | $DEPS_VULNS |
+| **Total** | **$TOTAL_VULNS** |
 
-          | Severity | Package | Installed | Fixed | CVE |
-          |----------|---------|-----------|-------|-----|
-          $VULN_SUMMARY
+$VULN_SUMMARY
 
-          ---
+---
 
-          *This ticket was automatically created by the scheduled Trivy scan workflow.*"
+*This ticket was automatically created by the scheduled Trivy scan workflow.*
+DESC_EOF
 
           # Build GraphQL mutation
           MUTATION=$(jq -n \
