report schema

brendan-kellam · brendan-kellam · commit 966956be51a2 · 2026-04-14T14:59:58.000-07:00
diff --git a/.github/workflows/trivy-vulnerability-triage.yml b/.github/workflows/trivy-vulnerability-triage.yml
@@ -89,17 +89,21 @@ jobs:
           claude_args: |
             --allowedTools Bash,Read,Write,Edit,Glob,Grep
             --model claude-sonnet-4-6
+            --json-schema '{"type":"object","properties":{"report":{"type":"string","description":"Full vulnerability triage report in markdown format"}},"required":["report"]}'
           prompt: |
             You are a security engineer triaging a Trivy vulnerability scan for the Sourcebot Docker image.
- 
+
             ## Your Task
- 
+
             Your task is to read and analyze the Trivy scan results in `trivy-results.txt`. You should group
-            CVEs into the minimum set of actionable remidation items. Many CVEs can share a signle remidation
+            CVEs into the minimum set of actionable remediation items. Many CVEs can share a single remediation
             item. Read files such as `Dockerfile`, `package.json` and `go.mod` to gather information about
             dependencies within Sourcebot. Use `yarn why <package> --recursive` to determine why a given
-            npm package is being included. Report your findings in a concise and readible format for a engineer
+            npm package is being included. Report your findings in a concise and readable format for an engineer
             to review.
 
+            Return your full report as markdown in the `report` field.
+
       - name: Write job summary
-        run: echo "${{ steps.claude.outputs.conclusion }}" >> "$GITHUB_STEP_SUMMARY"
+        run: |
+          echo '${{ steps.claude.outputs.structured_output }}' | jq -r '.report' >> "$GITHUB_STEP_SUMMARY"
